Slashdot Mirror
Ask Slashdot: What Are Ways To Get Companies To Actually Focus On Security?
New submitter ctilsie242 writes: Many years ago, it was said that we would have a "cyber 9/11," a security event so drastic that it fundamentally would change how companies and people thought about security. However, this has not happened yet (mainly because the bad guys know that this would get organizations to shut their barn doors, stopping the gravy train.) With the perception that security has no financial returns, coupled with the opinion that "nobody can stop the hackers, so why even bother," what can actually be done to get businesses to have an actual focus on security. The only "security" I see is mainly protection from "jailbreaking," so legal owners of a product can't use or upgrade their devices. True security from other attack vectors are all but ignored. In fact, I have seen some development environments where someone doing anything about security would likely get the developer fired because it took time away from coding features dictated by marketing. I've seen environments where all code ran as root or System just because if the developers gave thought to any permission model at all, they would be tossed, and replaced by other developers who didn't care to "waste" their time on stuff like that.
One idea would be something similar to Underwriters Labs, except would grade products, perhaps with expanded standards above the "pass/fail" mark, such as Europe's "Sold Secure," or the "insurance lock" certification (which means that a security device is good enough for insurance companies to insure stuff secured by it.) There are always calls for regulation, but with regulatory capture being at a high point, and previous regulations having few teeth, this may not be a real solution in the U.S. Is our main hope the new data privacy laws being enacted in Europe, China, and Russia, which actually have heavy fines as well as criminal prosecutions (i.e. execs going to jail)? This especially applies to IoT devices where it is in their financial interest to make un-upgradable devices, forcing people to toss their 1.0 lightbulbs and buy 1.0.1 lightbulbs to fix a security issue, as opposed to making them secure in the first place, or having an upgrade mechanism. Is there something that can actually be done about the general disinterest by companies to make secure products, or is this just the way life is now?
One idea would be something similar to Underwriters Labs, except would grade products, perhaps with expanded standards above the "pass/fail" mark, such as Europe's "Sold Secure," or the "insurance lock" certification (which means that a security device is good enough for insurance companies to insure stuff secured by it.) There are always calls for regulation, but with regulatory capture being at a high point, and previous regulations having few teeth, this may not be a real solution in the U.S. Is our main hope the new data privacy laws being enacted in Europe, China, and Russia, which actually have heavy fines as well as criminal prosecutions (i.e. execs going to jail)? This especially applies to IoT devices where it is in their financial interest to make un-upgradable devices, forcing people to toss their 1.0 lightbulbs and buy 1.0.1 lightbulbs to fix a security issue, as opposed to making them secure in the first place, or having an upgrade mechanism. Is there something that can actually be done about the general disinterest by companies to make secure products, or is this just the way life is now?
Just kidding. I am not advocating unlawful access. But it seems like many companies don't do a damn thing until they have a breach.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
After all it is not like they are judged by any other metric besides spending money or anything like that.
Also go to India or get some college kid to run it for cheap. That is what any MBA will tell you and it is not like it is hard or anything to do.
http://saveie6.com/
Insurance translates risk into dollars into quarterly financials.
Moral of the story: start training for a job as an actuary.
Software isn't this new thing that nobody really understands, so as-is, use at your risk is no longer should be applicable. If you sell insecure crap, then it gets hacked - your company should be responsible. Just like releasing food that poisons, electronics that electrocute, or clothing that let it all hang. Even Lululemon had to recall yoga pants because fabric showed too much when stretched...
Features are what counts. The more features software has, the better it is. And add more layers, because abstraction and indirection are good. And most importantly, make it bigger and more complex because everyone knows that code is good so the more code the better.
Eventually not even the hackers will understand it and we will all be safe.
That's a well-founded opinion. Remedies must accept this basic, annoying fact. Such remedies include:
1. Increasing transparency so that misbehavior is easy to spot.
2. Robust protocols for recovering from damage.
3. Promoting healthy skepticism and reasonable expectations.
I should know the instant that Equifax fumbles my data, have easily accessible methods of locking down my accounts, easily executable methods of renewing account #s etc., and know that shady/stupid creditors aren't going to help criminals use my info to defraud them. With those measure in place, and none of them seem super sci-fi, Equifax can go back to being their shareholder's problem and not mine (or much less mine).
There may still be critical systems that have to be more actively secured. That's going to be a hard problem forever, but there are plenty of intractable problems that just require constant vigilance. We can at least minimize them and concentrate efforts where they are needed.
Everyone at the top (CXO, board members, top paid employees based on cash plus stock options plus etc.) serves 1 day in prison for every instance of leaked info.
Chase it down through subsidiaries, contractors, shell corporations, spouses, etc.
The other option is mob justice. (Which is fine by me.)
Haul some C-level execs away in handcuffs. And don't put them in some white-collar resort prison either.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
The CIO wants a evolving always up to date black box of security that will never get between him and quarterly stock option rewards. It would also be great if it allowed him to lay off everyone but the sales force and that design guy with the retro eyewear who knows all the girls at the club.
Actually punish them when things go wrong. The cost of failure needs to be catastrophic, or at least higher than the cost of prevention.
Don't buy items that you do not believe to be secure, only buy secure items.
You can't handle the truth.
This article proposes jail time. Prison for a nonviolent offense. I really ask you to think about this. Because once any fuck up is worthy of jail time, you will not crawl out of that hole you dug for yourselves. But decades later you will be reviled and scorned for it. If that's the legacy you want, you will get it in spades.
So make it. Your company released data on 32 million people due to shoddy security? Your company will have to contact each one directly, individually, and cut them a check for $1000[1] on top of whatever monitoring services they might need now. Same thing if it's only 32 people.
This won't fix IoT issues, of course, but there's a different mechanism that could: cost internalizing. Require companies to pay into a fund for proper disposal of their products (which means they pass it along to consumers), where the amount they must pay is proportional to the cost of destruction/recycling but inversely proportional to the minimum serviceable window, and "serviceable" in the case of electronics is partially defined as providing upgrades, replacements, or maintenance to close security issues within the given window. After all, a device that is broken into is still broken, and for most people that means getting rid of it.
Razor-and-blade model won't hold out if each "blade" costs as much as the razor does.
[1] And be able to produce evidence that they received it; or, in cases where a person can be contacted, proof of a good-faith effort was made and the amount is instead donated or paid to another entity
If they aren't already interested in paying attention to security, pointing out where their security is flawed won't change anything. At best, they'll just think you're acting like some kind of know-it-all, and at worst, they might make your life thereafter somewhat unpleasant.
If a company doesn't pay attention to security, run in the other direction. Get as far away from them as you can.
File under 'M' for 'Manic ranting'
"This especially applies to IoT devices where it is in their financial interest to make un-upgradable devices, forcing people to toss their 1.0 lightbulbs and buy 1.0.1 lightbulbs to fix a security issue, as opposed to making them secure in the first place, or having an upgrade mechanism."
It's actually more complicated than this. You need to factor in the customer.
The vast majority of customers for above-mentioned devices are "IT security-impaired". In layman's terms, they have no fucking clue (I don't blame them by saying this, it's just the way things are). So they vote with their wallet.
If company A is very security-focused and produces aLightbulb with upgradeable firmware and active development for said firmware, but company B doesn't give a shit, you will end up with bLightbulb which costs 10 times less than aLightbulb. Guess which company would go out of business?
IoT is filled to the brim with customers looking for the cheaper alternative, and security isn't a driving factor to motivate them to buy the more expensive product. Getting companies to agree on a security standard? Good luck with that, there's always going to be the profit-oriented company willing to sell their lightbulbs 15% cheaper, and have them cost 4 times less, undercutting and eventually buying off competition.
Not saying I agree with how things are, but then again, it's how they are.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
devices need to have os and app code split into there own updates so it's easier to push out updates.
If Accountants are allowed to run a project, engineer a system, or engage in managing labor, they invariably mix up investing acumen with business acumen. When you are investing you are looking at concrete evidence and information backed by the threat of handcuffs; when you are managing a business you have to interpret and work with people and systems who are not perfect and are self-interested.
Invariably what ends up happening is the accountants, who are only good at managing numbers and statistics, treat their staff like numbers and statistics, and when that doesn't work, they put in place silly organizational controls which tend to break down due to a variety of reasons because they don't know what those controls affect, and then you invite Cthulhu to the dinner party. Compared to accounting, IT actually produces something useful to the enterprise, it's the accountants who are the cost center, and when accountants run IT, IT becomes a cost center due to it.
Seems to be a given,
ThinkPenguin.com has funded a variety of projects over the years one of them being an embedded router distribution called LibreCMC. The lead developer's top priority is rolling out security updates in a timely fashion. He's had 4 critical security updates in the past six months or so that I'm aware of to deal with and each time an update was available within a matter of hours. It took slightly more time for 1.4.1 to come out and then 1.4.1a (a week later) because it required more than a package update each time- but the point is it was probably released with a day or so of a patch being available from the upstream project. Compare this to how long its taking OpenWRT and other embedded distributions to get around to updating the same components it's a pronominal response time. ThinkPenguin also sells routers with LibreCMC which is awesome because it both helps fund the project and keep it going and also ensures there are routers readily available that can fully support the distribution. Most routers can't be fully supported by other embedded distributions because of proprietary components (even ones like OpenWRT and Leede). LibreCMC is a sync'd fork of Leede right now- but probably with more timely updates for certain components in regards to security.
So bemoan the tragedy of the commons.
Legislate something that nobody actually values with more than lip service.
Or actually insist on security by not buying (hahaha, all you who are the product, not the customer) or using things that are not secure enough for your tastes.
What an entitled bunch of chicken little security doomsayers.
(Captcha: steamer)
Headline kinda sez it all, even though it will never happen.
1-2 companies become memories because they got breached, Cxx's might give IT departments the resources they need to prevent breaches.
"this has not happened yet (mainly because the bad guys know that this would get organizations to shut their barn doors, stopping the gravy train.)"
So companies could do it if they knew it was a problem, but they don't because they're blissfully unaware, and the only people that would tell them won't?
Buildings don't collapse, trains don't crash and planes don't fall out of the sky because there are strict government standards on how to make one. These standards cover the software used in them as well, and we now actually have some reasonably good standard practices on how to make software reliable. Unfortunately, reliability and security are not the same, so what's needed is a set of standards that describe how to make secure networks. I fully understand that's not an easy job, but I'm pretty sure that some agencies that need high security have already developed their own solutions that could be adapted, no need to reinvent the wheel.
These security practices should be classed in different levels, and an appropriate certification level would be required for certain operations. Storing user data would require a low level if it's only an email address for example, but a very high level if it's a credit card number or fingerprint. Government contracts would also mandate a certification level depending on how security sensitive the job is. When multiple parties are involved in a project, their security level would equal to the lowest one. So a company could only outsource part of a level 4 job to an organisation that's at least level 4 certified. Let's be honest, the free market haven't solved this problem for decades and likely never will if left to itself.
When you drive a car, the law requires you to have insurance, because you can do a lot of damage to others you won't be able to pay for if it happens.
The idea here is to impose heavy damages in case of a breach and require companies to be insured to some amount. The insurance requirement is a way to prevent companies from just taking chances and get away with bankruptcy if bad things happen.
Another advantage is that insurance companies don't want their customers to get hacked so that they can offer attractive prices and make profit. As a result, they will make sure that security best practices are implemented in the same way that theft insurance require certain locks.
To sum up, with mandatory insurance :
- Hacked users will be compensated
- Insurance companies will have real financial incentives to find ways of making things more secure
- Insured companies will do their best to implement best practice as it will most likely lower their premiums. The worst may not be able to get insured at all and risk legal sanctions even before the inevitable hack happens
... and, you're welcome.
It little behooves the best of us to comment on the rest of us.
Unconditional and immediate forfeiture of $10000 to every customer who got their data stolen as a result of poor security practices.
That's the *only* way to get corporations to do anything.
One idea would be something similar to Underwriters Labs, except would grade products, perhaps with expanded standards above the "pass/fail" mark
And let me guess, the compliance and governing bodies would be staffed by the participating corporations?
$1 per name.
...
$5 per address.
$5 per phone number.
$10 per SSN.
$20 per CC number.
Anything else is lip service. And the fines go to the offended parties.
#Equifax
The problem with the idea of certifying security is that security is a constant moving target. Two weeks ago, WPA was thought to be secure and is part of the PCI-DSS (basically one of the main security "certifications" out there). Today, that's not so anymore. And while some might want to argue about this particular incident and how much it really matters, its more the idea than the single example. The list of CVEs being published every year is freaggin massive. Think of that first MD5 collision. We don't consider MD5 secure anymore. Then moved to SHA1, but now that has known collisions as well. And it is only a matter of time until we see the first collision on SHA256. So what is certified today may very well be entirely broken tomorrow.
A key problem is that the IT industry lacks useful metrics. For instance:
- We have Big O notation, but the compiler doesn't automatically detect algorithmic complexity. As such, no one can easily tell if you have written a program (algorithm) that scales well, or scales poorly. This is a big problem for non-trivial pieces of code, because it is very easy to include an O(n^2) library function in a "tight" O(n^2) loop.
- Memory management is so well hidden in modern environments, that it is often impossible to tell how efficiently memory is used. It's a variation on the Big O notation problem. Thus, memory usage in a large framework (C# or Java) can obscure memory leaks and O(n^2) memory usage problems, until n becomes sufficiently large (in full production).
- What metric measures security? Security doesn't even have the benefit of Big O notation.
- In a big program, it is often not even possible to tell what code paths are actually being used. Run-time profiling helps a great deal, however there are privacy issues.
- There is an entire landmine about programs including interpreters (compilers) to execute user generated code block. For a program of sufficient size, it is necessary to do this. However, it is a security nightmare. How do you even tell, in the context of a large application, if it is possible for someone with normal use rights to execute malicious code?
- Almost every programming resume claims that the person is proficient in HTML, Java, and C++. How do you tell which programmers are good? In the context of a given project, what does good mean anyway?
Some metrics are present in software, but they are often ridiculed:
- # of lines of code
- Execution time. Specifically, execution time does not matter if the task is sufficiently fast that no one cares. If you have a Big O notation scaling problem, it is often possible to ship software and someone not notice until it is in production.
Many other industries have methods of measuring quality and suitability. Software, it exists, but not in an easy to use, obvious and mature form.
Hold them accountable. Those C level assholes at Equifax should be facing serious jail time. But we all know they won't.
Require insurance to have a responsibility that can result in a bad thing. Real insurance, a policy that must cover the damage done by a potential breach. We do this all the time with risk. It creates an incentive to lower insurance costs by transparently reducing risk and increasing a strong reputation with the insurance provider. It also introduces the need to evaluate the benefit of possessing sensitive data in the first place.
Feedback loops define behavior, so the answer is simple, create feedback loops for bad security. There are many ways to do this. One way would be turn every ill-secured IoT devices against it maker and perform a periodic DoS attack on the company website and/or the sites that sell them. This would result in a rising level of traffic that will cause the company money which is the exact reason why they didn't bother to secure the devices. However, if you wish to force government regulation then you need only should turn IoT devices against websites that accept political donations for the current dominant political party. Some feedback loops are stronger than others, so it's something worth thinking about.
In my experience, anything that agitates congress will get immediate attention.
Anons need not reply. Questions end with a question mark.
"So, Randolph Q. Chairman — can I call you Randy? — Randy, every time a customer's data is stolen from your company's database, Boris here is going to cut you in half with his machete. Is that what you want, Randy? Hm?"
Nothing posted to
Create regulations that provide for large fines. Companies rarely care about anything unless it costs them money.
I think it's really simple. Money is what motivates pretty much everything. So when a company's negligence results in criminal activity adversely affecting a person, that company will need to pay to make it right. Make you whole again, plain and simple, whatever it takes. They pay for it all.
Also I think making security marketing bulletpoint would help. Companies that get hacked get a reputation for getting hacked and die off. Companies that example good security by not getting hacked get a sort of 'years of no hacks' award or something and can tout that "20 years of no hacks." Make it a competition! Hell companies will start TRYING to hack each other to dethrone the longest no hacks. Nothing like competition to spur innovation.
Another simple helping hand: Bug-bounties need to be hefty. They need to pay more than crime does. Until they do, people who find this stuff will sell it to criminals instead of you. You gotta pay more than the criminals for your sloppiness.
Not to worry, the perfectly-informed consumer* will choose not to buy insecure products, causing only perfectly secure devices to survive in the marketplace.
*Spherical, and in a vacuum
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
It will change when IT is an actual profession and regulations demand it.
The problem with this is that the costs will probably not be large enough to motivate a significant change in behaviour because hackers go after the details of customers not the money of the company being hacked. A faster and better way to do this would be to have legislated statutory minimum damages for each individual's details which are hacked. Say $10k for sensitive data like a credit card number with lower amounts for just an email address or name etc.
This will immediately establish the financial cost for being hacked and ensure that those most at the risk of damage from the hack have at least some compensation without having to go through the huge effort and expense of suing the company.
Get off the fucking âoecloudâ and expecting someone else to do security for you. Write code with security in mind from the getgo instead of tacking it in later. Donâ(TM)t hire kids just out of college. Theyâ(TM)re Idiots.
Ransomware is making companies actually focus on security. It used to be like they didn't care because it was just customer data (credit cards, etc) and it never really cost them anything. The cybergangs' tactical shift to ransomware for botnet monetization has changed all of that.
It culminated on Nov 8, 2016. And it is so well done that most Americans don't even realize we're under attack.
Rule 35 of the internet: "If it can be hacked, it will be". - Charles Stross
These corporations are protected due to their crony alliance with government. The key to real change is twofold:
1. Get government completely out of the way, mlve the civil judicial system into the hands of private arbitrators, and strip away legal protections against corporate liability so that the arbitrators can impose unlimited financial liability on corporations and their officers for breaches.
2. Engineers need to work on being entrepaneurs. Innovation and global distribution in the age of the internet allows for anyone to circumvent even the greatest Silicon Valley giants. Outmaneuver them, build a better product, and force them to keep up or go under.
nothing instructs like pain.
Don't assume that better security is worthwhile. Security has huge costs until it gets built into things at ground level, and that takes decades to happen. Until then, we're better off with messy, insecure feature chasing.
Fortunately the future is on its way. More and more things are secure by default every day, it's just hard to tell because the systems they form are getting more sophisticated and it only takes one hole to bring the whole thing down. In 10-20 years the security picture will look much better. It will simply be nearly impossible to do anything connected without obeying a lot of conventions and participating in a lot of active systems that result in effective, layered security. This is naturally resulting from all the hackers bashing on our systems today. Everything will happen over SSL. Client certs will start to be verified. Read-only systems will play most production roles. No one will want the keys to anything they can possibly avoid having keys to. Etc. etc.
You can see right now in Europe how to do it. We've tried it the hard way for 30 years, worked not so very much. For about the same time we tried to convince politics that this is a danger, not much happened. Oh yeah, one day SOX happened and that brought a tiny benefit, but mostly on the paperwork and consulting-hours side.
In Europe, right now massive investments into information security are being made, because of two laws that politicians have finally passed, both at the EU level. One is the General Data Protection Regulation and the other is the Council Directive "on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection". You have an equivalent (referenced in the EU) from the NIST.
The fundamental change, and that answers your question, is that violations of these laws, and especially data breaches or other infosec events that could have been prevented with proper security, now carry massive fines. Let me quantify "massive":
â20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater
The magic bullet is the 4% rule. It refers to global revenue, and it refers to corporate revenue - no more reducing risk by seperating your corporation into tiny "independent" companies. If a five-person subsidary of Facebook suffers a severe data breach, the fine can be $ 345 million.
Also, the law puts the legal liability to top-level management. That is the second magic bullet. Put CEOs and directors on the front line. Unless they can demonstrate that they took steps to comply to the technical and organisational requirements, they could go to jail. Now that gets top-level management moving.
So the simple answer is: Hit them where it hurts. Money and personal liability. Take away the corporate shield and diffusion.
Disclaimer: I do this stuff for a living. We are currently being drowned in projects to implement ISMSs and the GDPR is a main driver behind that.
---
Addendum: This gets you basic security levels. As soon as the risk management labels the residual risk as acceptable, that's it. My personal opinion is that our security is still shoddy at those levels, and the main reason we're not all dead is that most hackers are imbeciles and the only reason they can make a living with their laughable hacking skills is that security is such a joke. For illustration, look at the typical spam / phishing mails you get. Who would fall for that shit full of spelling errors, grammar mistake and my-blind-grandma-could-spot-this forgery? The answer is: If you send it to enough people, you will find enough idiots who do.
Once we have a basic security level across the board, the game will change. Lots of "hackers" will have to go back serving burgers and fries, but those with any actual skills will step up their game. And then we'll be in a world of hurt. There'll be an Equifax every month. My daily rate will probably skyrocket because supply and demand, but I'm still not looking forward to that.
If you are serious about security, as the saying goes you don't have to run faster than the bear, only faster than your friends. But don't walk just because they do. Start running now, because once they are eaten, you have to run faster than the bear.
Assorted stuff I do sometimes: Lemuria.org
The only "security" I see is mainly protection from "jailbreaking," so legal owners of a product can't use or upgrade their devices.
That's not what it's there for.
It's there for two reasons:
1. To keep you from F-ing around with the baseband firmware for the SDR.
This prevents you and a bunch of your Jihadi buddies staging a terrorist attack, and then interfering with the ability of emergency responders to actually react effectively to the attack in order to mitigate damages.
People do not want you dicking with the SDR, because preventing you from doing that keeps you off the emergency responder and military frequencies with commodity devices that look like normal cell phones until you run the jamming package.
2. To keep third parties from dropping malware onto your device.
If you have to have a chain of trust to get software onto a lot of devices, it doesn't matter if you can get it onto just one developer device, or get it onto hundreds of enterprise enrolled devices, that's not the same as getting it onto 10% of the planetary devices of a given type.
It keeps your crapware off my iPhone.
I can live with both of these things.
Make them financially responsible. Your lack of security cost your customers x amount of money, pay 1.5x as a fine. Customers get their money, government gets the .5, companies know what will happen if they get careless, or stop paying attention.
Companies want the same rights as individuals, make them take the same responsibilities.
Really impressive results with Kaspersky.
(0) Make generic "consumer waivers" And "compulsory arbitration of disputes involving company mishandling of customer information" illegal. Consumers may NOT be required to waive rights to the privacy of their personal information from dissemination by potential criminals and unauthorized individuals in a generic manner or by a "click through" or "default" agreement, Just to use or purchase a product or service.
(1) Shift the burden of proof so companies cannot imply non-breach by saying "We found no evidence that X occurred or that Y was leaked"; Make it law that Security breach will be assumed to have occurred, AND/OR Every piece of information from every system and database will be assumed to be leaked, Especially upon any suspected incident or event, in the absence of control audit reports with complete competent comprehensive evidence to a high standard that information has Not been leaked and a breach did not occur; Based on evaluating system log outputs over a period of time, and auditing the strength, adequate depth, and proper implementation of a set of whole-stack multi-layer detective controls on network/database activities: Proving the continuous and ongoing integrity of controls intact for a period of time after a suspected incident --- consistent with end-to-end monitoring and analysis of every network transmission and query action on systems containing consumer data.
(2) Legal damages for security breaches where customer personal/financial information is breached with Absolute legal responsibility (Instead of the current standard of a 'Mere duty of care' or 'Mere non-negligence') on any 3rd-party holder of consumer personal, medical, or financial information to keep that safe ---- To be defined to include A minimum statutory amount of damages of $2,000 - and other amounts to cover Consumer's inconvenience - at least $100 per hour that will be wasted on the phone for reasonable number of hours plus All costs appropriate for the consumer to help mitigate the risk of identity theft or repair their privacy ($$ per hour of labor, the real-estate commission costs, moving costs, travel, and other $$$ costs to move house in order to change a leaked street address, for example).
(3) Legal liability for damages TIMES 100 for data brokerage companies that COLLECT information with no consumer opt-out or "information removal" controls.
With a burden of proof that customers with access to a brokers' services are legitimate users , and consumer information is not disseminated or leaked to potential criminals.
(4) Legal liability for damages TIMES 10 on the accuracy of security claims and/or marketing messages made by services or paid software companies implying that their product, website, or service is secure And/Or breaches that occur after a company makes any security claims or representations.
Pass a couple of laws making it clear that companies are liable for any costs resulting from security failures of their products, and making it easy for consumers to file and collect on such claims.
Even more important: make it easier to nail company executives personally, if one can show that executives were negligent. Equifax is the perfect example: There is plenty of evidence that the CxOs were informed of failures in their processes as much as a year in advance of the first breach. Yet they did nothing. Their personal assets should be on the line right along with the corporate assets, when the inevitable lawsuits come to a conclusion.
Enjoy life! This is not a dress rehearsal.
What a man can make, a make can break.
E Proelio Veritas.
The best way to keep third parties safe from breaches is to ban them from gathering or keeping potentially harmful data in the first place. Of course that may come with its own host of side effects.
I won't say who, but I actually heard a rep from a fairly big company say that it was cheaper to just pay the damages and suck up the loss of good will than to secure their network.
As long as they can buy their way out with a fine or judgement that is less than .01% of annual revenue and the public's memory fades after a week they won't change.
Hold the officers personally liable (negligence) and fine them 50% of their net worth. That'll get their attention.
I just recently joined a startup and noticed a glaring exploit a few hours ago which will allow anyone to login to the customer's portal, after doing "stuff" for a couple of hours.
I informed the relevant people verbally and it doesn't seem to be taken as an urgent issue.
I put it in the bug tracker (which doesn't have a category for security / exploit / similar) for the pass few hours, unassigned / uncommented by anyone else.
We shall see what happens when it happens ...... at least I done my part(although I didnt join here to really concentrate on security) by making sure the relevant people know about it.
I think the EU is moving towards a law where a company must at least provide X years of support for security issues (not sure on this, though). Unless you put these things into law and include hefty fines for not following said laws, companies will just keep on ignoring making secure devices.
On a long enough timeline, the survival rate for everyone drops to zero.
Accountability : It not only works for security, it works for many other things as well. It starts with taking a cookie for a kid and goes on to as far as you take it.
If there is no accountability, there was no wrongdoing in the first place.
Don't fight for your country, if your country does not fight for you.
The problem, from a public awareness point of view, is that there is little traceability even when something bad happens.
The effect may be that you spend several months trying to regain control of your identity and you never fully recover all of the money that "you" spent.
The cause may be that one big organisation leaked enough of your personal information to let the identity thief succeed in convincing several other big organisations that they were you.
All of those organisations are demonstrably at fault, but unless the victims can actually join the dots, neither they nor anyone else (governments, media, future potential victims) are going to hold the responsible organisations accountable.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Step 1) So post the company name on 4chan w/ the challenge no one can get in and do lasting harm to my company, "We are invincible."
Step 2)?
Step 3) Profit
It worked well for equifax.
Seriously? That's pretty much the opposite of competition, and there's too many companies that sit where they are because there is no meaningful competition. Obviously Equifax is the most recent example in the spotlight, but they are not alone.
Hire cybersecurity people who have no experience, but have the knowledge. Stop keeping cybersecurity jobs open for six months to a year because you're having trouble finding talent.
An empty chair does NOT solve more problems than a rookie.
I hate to advocate new laws, but if a company knowingly ignores security, takes someone's money, and that person gets hacked because of it that company ought to be on the hook legally. The only way they're going to care is if there's some tangible stake in giving security serious consideration.
I don't believe in karma, I just call it like I see it.
Need I elaborate?
It's Xeno's chairman!
Plunge their stock price down to $0.01 for a security gaff is the only way companies will prioritize security/
The millennial that doesn't like most of the stuff designed for millennials.
A foreign government exerting cyber-influence over a US Presidential election wasn't enough--- nothing will be.
125 years ago, thousands died in the USA alone from boiler explosions each year. That led a small group of engineers to develop what became the ASME Boiler and Pressure Vessel Code. "The Code" is now mandatory by law in almost every US state and Canadian province. It doesn't prevent all accidents, but now fatalities are down to a few per year.
If the professional IT community is serious about this problem, they should band together, develop a code of performance and security standards, publish them, and campaign to have them adopted as law.
Wherever there's a system, there'll be a way to exploit it. It won't actually ultimately make a positive difference if companies "focus on security," because the problem is not in the code or the hardware, or really any part of the technical system; the problem is in people.
There is nothing that will work in the foreseeable future. The public does not care enough, and the politicians have a vested interest in not caring.
Laws will not be passed because both parties are owned by corporate interests. Sometimes the corporate interest is split on an issue, and something can happen. But virtually all corporations will oppose regulations that require security---as well as laws that establish greater liability for poor security.
The Equifax breach is the largest compromise of public data, and there is little outrage. Not enough to force real change by Congress. There will be minor changes, if anything happens at all.
Until a hacker does something truly drastic, the general public will remain blissfully ignorant of the risks. And by drastic, I mean something like bringing down the power grid, or flooding a region by tampering with a dam.
Most of the pre-Millenial generations do not understand how much data is exposed and how it can be misused. Sure, IT workers of any age will understand, but the older cohort as a whole does not. For those people, it will take a concrete disaster to drive the message home. My own parents are prime examples, in spite of attempts to educate or warn them.
For decades, IT security has been "out of sight, out of mind". A lot of people choose to remain ignorant, and the corporate leaders profit from it in the short term.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
Security at the corporate and government level will become important when some important CEO or high government official gets their calendar hacked and this person get's their head sawed off you-tube by ISIS.
Most companies have other things in their focus. If they focused on security they would just close shop. That is the most secure option.
Why does the government have to get involved, wasting taxpayer dollars, for something that is a waste of time and effort? If a business can't make a secure product, DON'T BUY FROM THEM. End of story.
The Randian/Libertarian viewpoint in the US is the only sane one in the world when it comes to this. Security issues are what market forces and the Invisible Hand are for. If a company is insecure, that is what we have an entire civil lawsuit system to handle. We don't need more laws. In fact, we need government out of regulating businesses, so the free market can do what it does best.
What will new laws do anyway? The blackhats tend to be impossible to beat anyway, so these laws will just punish come company unfortunate enough to be targeted and the fact of this made public. It just creates whipping boys, and solves nothing.