Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: What Are Ways To Get Companies To Actually Focus On Security?

Posted by BeauHD on from the decisions-decisions dept.

New submitter ctilsie242 writes: Many years ago, it was said that we would have a "cyber 9/11," a security event so drastic that it fundamentally would change how companies and people thought about security. However, this has not happened yet (mainly because the bad guys know that this would get organizations to shut their barn doors, stopping the gravy train.) With the perception that security has no financial returns, coupled with the opinion that "nobody can stop the hackers, so why even bother," what can actually be done to get businesses to have an actual focus on security. The only "security" I see is mainly protection from "jailbreaking," so legal owners of a product can't use or upgrade their devices. True security from other attack vectors are all but ignored. In fact, I have seen some development environments where someone doing anything about security would likely get the developer fired because it took time away from coding features dictated by marketing. I've seen environments where all code ran as root or System just because if the developers gave thought to any permission model at all, they would be tossed, and replaced by other developers who didn't care to "waste" their time on stuff like that.

One idea would be something similar to Underwriters Labs, except would grade products, perhaps with expanded standards above the "pass/fail" mark, such as Europe's "Sold Secure," or the "insurance lock" certification (which means that a security device is good enough for insurance companies to insure stuff secured by it.) There are always calls for regulation, but with regulatory capture being at a high point, and previous regulations having few teeth, this may not be a real solution in the U.S. Is our main hope the new data privacy laws being enacted in Europe, China, and Russia, which actually have heavy fines as well as criminal prosecutions (i.e. execs going to jail)? This especially applies to IoT devices where it is in their financial interest to make un-upgradable devices, forcing people to toss their 1.0 lightbulbs and buy 1.0.1 lightbulbs to fix a security issue, as opposed to making them secure in the first place, or having an upgrade mechanism. Is there something that can actually be done about the general disinterest by companies to make secure products, or is this just the way life is now?

31 of 158 comments (clear)

  1. Re:Hack them. by Anonymous Coward · · Score: 5, Insightful

    Actually many of them don't do much after a breach either.

  2. Insurance by Krishnoid · · Score: 4, Insightful

    Insurance translates risk into dollars into quarterly financials.

    • Investors who don't understand computer security can ask what's being done to mitigate risk ("You have fire insurance, why not cybersecurity insurance?")
    • The CEO/CFO/board sees that if they buy insurance, they can better risk-manage cybersecurity breakins, and can provide an answer to the institutional investors.
    • The insurance actuaries can insist on audits to make sure the software/server/network infrastructure is secured well enough to be insurable.
    • The rank-and-file IT get stuck with implementing it, and employees get stuck suffering with increased security.

    Moral of the story: start training for a job as an actuary.

    1. Re:Insurance by rtb61 · · Score: 2

      With the current state of software warranties, I could not imagine how insurance against hacking events could possibly exist. The initial assessment actively threatens the employment of IT staff, they are being judged and make no mistake, first on the audit list, fire and hire. That also plays out to the rest of staff, as any employee with access to at risk hardware can trigger a security breach.

      Sure I could imagine fly by night insurance who take premiums and never make payouts, using lawyers to fend them off for as long as possible whilst still collecting premiums and hugely inflated executive salaries and who bail to tax haves just before the company goes belly up (don't scoff in the era of rising sea levels that kind of insurance will appear for every coastal city on the planet, they'll set up subsidiaries they can extract profits from and then set adrift in a sea of underwater front bankruptcy).

      --
      Chaos - everything, everywhere, everywhen
    2. Re:Insurance by Wycliffe · · Score: 2

      Exactly this. Just like we require liability insurance to drive a car, if we required PCI insurance to accept credit cards
      then there would be a dollar amount associated with it. Currently, PCI compliance is required (and in some cases just
      recommended) but failure to be PCI compliant is only a problem if you get caught. As much as I hate insurance
      companies some times, getting them involved would make it so that if a company wanted lower premiums, they would
      have to actively try to mitigate the risks.

    3. Re:Insurance by TubeSteak · · Score: 4, Informative

      The insurance actuaries can insist on audits

      Target was certified as PCI compliant a few months before they were hacked.
      They only problem is that the PCI audit would never have caught the memory scrapers that were used to infect Target's point of sale systems.

      Most of the major credit card hacks in recent memory involve companies who've been certified as PCI compliant.

      I'm not against audits, but it should be nakedly obvious that the audits we have are not the audits we need.

      All of which is to say that having insurance companies cook up security standards doesn't mean anything will become more secure. /The PCI standard has a section on vulnerability scanning and penetration testing. It should be considered the bare minimum, not a reasonable security goal.

      --
      [Fuck Beta]
      o0t!
    4. Re:Insurance by coofercat · · Score: 2

      Such insurance exists here in the UK. I think the business model is to take in high premiums, and pay out as few people as possible, and only pay a relatively small amount (although I may be wrong, but the number quoted to me for my contracting company was too high to be worth doing, and let's face it, I'm not much of an IT pro if I need such insurance ;-) They pretty much just gave me a price, and didn't ask any real questions about my competence in such matters by the way - I guess they just looked at my small company and gave me a 'standard price'. If I was a mega-corp, they'd probably charge enough to actually care about competence and what due diligence I might have performed.

      I liken it to holiday illness cover (which we also have). It turns out there's a loophole in the UK rules that mean you can pretty much just come home from holiday and make a claim on your insurance for the food poisoning you had. You don't really need any evidence as such, and you certainly don't need to have alerted the establishment which supposedly gave you the illness in the first place. Such insurance has been around for a long time, and I suspect the insurance companies have been collecting premiums for quite some time without ever really having any claims. However, now the lawyers have got ahold of it (yes, them again - doing "good" for humanity like always), the claims are getting silly. The insurance companies are passing some of their costs on to the establishments that supposedly caused the problem, and so, lots of unrelated holiday makers are now paying the price for the minority who keep claiming.

      Rant aside, the insurance companies have been pushing for limits on payouts of this nature (and will probably get them too). I'd imagine the same will become true for 'cyber' insurance in a few years time too, once the lawyers get ahold of that as a means to fleece the public.

    5. Re:Insurance by Wycliffe · · Score: 2

      Cyber insurance rates are already risk based. The insurance company will set your rate based on the level of competence in security you demonstrate.

      Yes, but Cyber Insurance is not required and most businesses don't have it.
      Requiring all businesses to carry it would make "level of competence you demonstrate" a number on the balance sheet
      where currently cyber risk is an vague potential future cost that most companies ignore.

    6. Re:Insurance by netizen_james · · Score: 2
      #And for security, you never want "rank and file" implementing it. The rank and file don't understand security.#

      .

      Jolly good joke. It's the 'rank and file' that are going to get tricked by the phishers and 'social hackers'. It's the 'rank and file' who are going to set their password to 'password', or put their password on a post-it at the bottom of their monitor. Or save it to their GoogleDocs document named 'security' where they store ALL of their passwords...

      Security is EVERYONE's job. Top to bottom. Even the folks whose answer to the question 'where was the document that you want me to restore from the backup?' is "It was in Word". And this is why we can't have nice things....

  3. Add more features by aberglas · · Score: 4, Funny

    Features are what counts. The more features software has, the better it is. And add more layers, because abstraction and indirection are good. And most importantly, make it bigger and more complex because everyone knows that code is good so the more code the better.

    Eventually not even the hackers will understand it and we will all be safe.

  4. Easy by sexconker · · Score: 2

    Everyone at the top (CXO, board members, top paid employees based on cash plus stock options plus etc.) serves 1 day in prison for every instance of leaked info.
    Chase it down through subsidiaries, contractors, shell corporations, spouses, etc.

    The other option is mob justice. (Which is fine by me.)

    1. Re:Easy by Actually,+I+do+RTFA · · Score: 4, Insightful

      We shouldn't punish leaks, we should punish bad security. Heartbleed was unpredictable. There's a difference between unpatched WPA2 today and one week ago.

      --
      Your ad here. Ask me how!
  5. Arguable statement by war4peace · · Score: 4, Insightful

    "This especially applies to IoT devices where it is in their financial interest to make un-upgradable devices, forcing people to toss their 1.0 lightbulbs and buy 1.0.1 lightbulbs to fix a security issue, as opposed to making them secure in the first place, or having an upgrade mechanism."

    It's actually more complicated than this. You need to factor in the customer.
    The vast majority of customers for above-mentioned devices are "IT security-impaired". In layman's terms, they have no fucking clue (I don't blame them by saying this, it's just the way things are). So they vote with their wallet.

    If company A is very security-focused and produces aLightbulb with upgradeable firmware and active development for said firmware, but company B doesn't give a shit, you will end up with bLightbulb which costs 10 times less than aLightbulb. Guess which company would go out of business?
    IoT is filled to the brim with customers looking for the cheaper alternative, and security isn't a driving factor to motivate them to buy the more expensive product. Getting companies to agree on a security standard? Good luck with that, there's always going to be the profit-oriented company willing to sell their lightbulbs 15% cheaper, and have them cost 4 times less, undercutting and eventually buying off competition.

    Not saying I agree with how things are, but then again, it's how they are.

    --
    ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    1. Re:Arguable statement by arth1 · · Score: 4, Interesting

      Getting companies to agree on a security standard? Good luck with that,

      Blackhats love security standards. That's documentation that makes life much simpler.
      It's like a HOA that mandates that all front doors must have locks of one particular brand, and that audible alarms must be tested every 30 days.

    2. Re:Arguable statement by plover · · Score: 2

      Getting companies to agree on a security standard? Good luck with that, there's always going to be the profit-oriented company willing to sell their lightbulbs 15% cheaper, and have them cost 4 times less, undercutting and eventually buying off competition.

      Right now, the designers of WiFi light bulbs throw a SoC in the socket and a few LEDs on the heatsink, and because there's no standard, each company makes up their own bare-bones data connection for "on/off", and supplies a clunky iOS and Android app. Nobody reviews the protocols, they shove whatever no-name distro and web server they can think of into the SoC, and ship it.

      So the way to improve on this is to have an externally defined standard for IoT devices. The standards need to address all of the security problems. That means having a secure way to deliver updates. It can't be poking giant holes in home users' routers via UPnP. It needs to have a secure communications channel. It has to use high quality cryptographic algorithms. It must be completely open and free. Ideally it should be easier for manufacturers to download a reference implementation than it is to write their own, or to buy something. And of course it needs to be fully subject to review.

      What the standards really need to succeed in the eyes of the public is a championing body, with a logo, a certification body, rules, and an insurance fund. Stores need to feature signs like "This devices cyber security guaranteed up to $5000 by the manufacturer, a member in good standing of The Secure Testing Industry Group (STIG)." The logo should become as common as the UL, CE, and ETL logos seen on electric appliances everywhere. Something that says "if you get hacked because our device was vulnerable, we'll pay you money."

      Then, we need retailers to get behind this. Make sure every web site selling them features The STIG certification logo right next to the stupid "Trust me" lock. The big box store shelves need to have a signs proclaiming "Security certified by The STIG products sold here".

      Putting money on the table puts incentive on the manufacturers to be as secure as possible, and to patch things as quickly as possible. And it gets consumers to prefer it over an unlabeled brand.

      --
      John
  6. Require insurance by GuB-42 · · Score: 4, Interesting

    When you drive a car, the law requires you to have insurance, because you can do a lot of damage to others you won't be able to pay for if it happens.
    The idea here is to impose heavy damages in case of a breach and require companies to be insured to some amount. The insurance requirement is a way to prevent companies from just taking chances and get away with bankruptcy if bad things happen.
    Another advantage is that insurance companies don't want their customers to get hacked so that they can offer attractive prices and make profit. As a result, they will make sure that security best practices are implemented in the same way that theft insurance require certain locks.

    To sum up, with mandatory insurance :
    - Hacked users will be compensated
    - Insurance companies will have real financial incentives to find ways of making things more secure
    - Insured companies will do their best to implement best practice as it will most likely lower their premiums. The worst may not be able to get insured at all and risk legal sanctions even before the inevitable hack happens

  7. Litigation ... by CaptainDork · · Score: 2

    ... and, you're welcome.

    --
    It little behooves the best of us to comment on the rest of us.
  8. Re:Stop relying on them by ShanghaiBill · · Score: 3, Interesting

    If a company doesn't pay attention to security, run in the other direction.

    How do you know which companies are paying attention? Also, how does one "run" from Equifax? You are in their DB, whether you choose to be or not.

  9. Re:The Pocket Book by RyoShin · · Score: 3, Insightful

    Get a grip on reality.

    Them, first. The amount I gave is quite high and could be lower, but that's sort of how fines (should) work: If you set a fine that is under the profit margin for the complicit activity, then the fine is just accepted as a part of the business (because the underhanded tactic still pays out more overall than compliance would.) Equifax is not losing corporate business AFAIK and is even getting some returns from credit monitoring services that have seen a spike of enrollments, so unless the fallout lands on them they'll happily ignore the reality many people are now in, in deference to the next quarter.

    I would be satisfied with Equifax completely shutting down, so let's agree to lower it to only $100/person and they can implode slightly less. I don't believe we have any sort of "execution" laws for corporate charters in this country, but more than a few really should have been and Equifax joins this prestigious group.

  10. Metrics by Cassini2 · · Score: 4, Interesting

    A key problem is that the IT industry lacks useful metrics. For instance:
    - We have Big O notation, but the compiler doesn't automatically detect algorithmic complexity. As such, no one can easily tell if you have written a program (algorithm) that scales well, or scales poorly. This is a big problem for non-trivial pieces of code, because it is very easy to include an O(n^2) library function in a "tight" O(n^2) loop.
    - Memory management is so well hidden in modern environments, that it is often impossible to tell how efficiently memory is used. It's a variation on the Big O notation problem. Thus, memory usage in a large framework (C# or Java) can obscure memory leaks and O(n^2) memory usage problems, until n becomes sufficiently large (in full production).
    - What metric measures security? Security doesn't even have the benefit of Big O notation.
    - In a big program, it is often not even possible to tell what code paths are actually being used. Run-time profiling helps a great deal, however there are privacy issues.
    - There is an entire landmine about programs including interpreters (compilers) to execute user generated code block. For a program of sufficient size, it is necessary to do this. However, it is a security nightmare. How do you even tell, in the context of a large application, if it is possible for someone with normal use rights to execute malicious code?
    - Almost every programming resume claims that the person is proficient in HTML, Java, and C++. How do you tell which programmers are good? In the context of a given project, what does good mean anyway?

    Some metrics are present in software, but they are often ridiculed:
    - # of lines of code
    - Execution time. Specifically, execution time does not matter if the task is sufficiently fast that no one cares. If you have a Big O notation scaling problem, it is often possible to ship software and someone not notice until it is in production.

    Many other industries have methods of measuring quality and suitability. Software, it exists, but not in an easy to use, obvious and mature form.

  11. Re:Hack them. (Literally!) by flopsquad · · Score: 3, Insightful

    "So, Randolph Q. Chairman — can I call you Randy? — Randy, every time a customer's data is stolen from your company's database, Boris here is going to cut you in half with his machete. Is that what you want, Randy? Hm?"

    --
    Nothing posted to /. has ever been legal advice, including this.
  12. Affect their bottom line by LazLong · · Score: 2

    Create regulations that provide for large fines. Companies rarely care about anything unless it costs them money.

    1. Re:Affect their bottom line by Bing+Tsher+E · · Score: 2

      Regulations and large fines would be leveraged against 'Free Software' and 'Open Source.'

      Do you want a regulatory agency to be required to rubberstamp all software that is released to the public?

      A new version of Linux could probably come out every five years under such a system.

  13. Re:Let the CFO run IT by Darinbob · · Score: 2

    Just get someone competent to run IT. And it's not just IT, security covers all departments. R&D that makes products that should have security, operations with external facing servers that should have security, servers that retain customer data, and so forth.

    The problem in IT is that it's usually run by someone who just repeats Microsoft marketing and industry buzzwords. There's no real leadership except to pass along the same cookie-cutter solutions to their cookie-cutter employees. That often makes IT the worst place to get security leadership. Your college kid is going to be much much worse to be honest, they won't know the first thing about security; they skipped all those hard classes with math and theory. You need security leadership from a corporate wide group, with enough clout and authority to get things done instead of just being ignored. That's the snag though, there are security experts out there but they're often ignored. Security is very expensive, and it's inherently inconvenient.

    The trick then is to make security important enough that people in authority take notice. They can't just delegate to head of IT, the worst person to put in charge of it (probably that same person skipped all the math and theory classes). And to get the leadership's attention, money must be involved. There must be a very prominent risk to the bottom line. The meltdown of blunders at Equifax isn't getting anyone to change their ways ("they failed because they had idiots in charge, but we have geniuses in charge here!").

    One way to do this is to get customers to demand security. If one product is seen as insecure, then customers must shun it, no matter how cool or fashionable it is. But that's a pipe dream - customers don't care about security, that's why they keep buying more and more privacy invading devices. They want the newest devices always, even though the first devices to market always leave out security so that they can ship soonest, If you can somehow magically change how customers think about products so that they want something safe and secure and which doesn't snoop on them, then maybe companies will start to care about security.

    So that's why I think the question needs to change. Instead we should ask "what are ways to get CUSTOMERS to actually focus on security?" Because that's the only thing that will make companies to focus on security.

  14. Re:C-level execs in handcuffs by Darinbob · · Score: 2

    We're just putting the wrong people in prison. We imprison people for using drugs who are hurting no one but themselves, but if a CEO screws up people' lives they often get a bonus for it.

    There will always be someone who accepts the risk. You should not raise the pay, it is better to get someone who accepts the CEO job at lesser pay who is good at it then someone who demands huge compensation and then plays golf all day.

  15. Capitalism To The Rescue by mentil · · Score: 2

    Not to worry, the perfectly-informed consumer* will choose not to buy insecure products, causing only perfectly secure devices to survive in the marketplace.

    *Spherical, and in a vacuum

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
  16. Cyber 9/11 Already Happened by Cyberpunk+Reality · · Score: 2

    It culminated on Nov 8, 2016. And it is so well done that most Americans don't even realize we're under attack.

    --
    Rule 35 of the internet: "If it can be hacked, it will be". - Charles Stross
  17. Re: Let the CFO run IT by Darinbob · · Score: 2

    Everyone's got a different definition of IT. To me, IT isn't intertwined in the daily operations, it is only intertwined in keeping the corporate network and computers running. Most of that type of IT is getting sourced, overseas or to specialized companies or cloud services. They don't have the corporation's best interests in mind; they won't lose their job for very long if there's a breach, their stock options won't vanish, etc. That's not the group you want protecting the company's family jewels.

    Of course, other places IT seems to be a catch-all term. Smaller companies, or companies who's main business has nothing to do with computing or technology (law firms, hospitals, etc). But in this case the company should never just assume that IT is taking care of the cyber security without actually making sure that IT knows that task is their responsibility; it's very often the case that the IT people who were hired to keep the computers running know nothing about cyber security beyond installing anti malware applications.

    Yes, the head of IT can be an advisor, or IT employees, but just a small part of a broader group of advisors. There is nothing inherent in IT services that makes them the experts in security.

  18. look at Europe by Tom · · Score: 2

    You can see right now in Europe how to do it. We've tried it the hard way for 30 years, worked not so very much. For about the same time we tried to convince politics that this is a danger, not much happened. Oh yeah, one day SOX happened and that brought a tiny benefit, but mostly on the paperwork and consulting-hours side.

    In Europe, right now massive investments into information security are being made, because of two laws that politicians have finally passed, both at the EU level. One is the General Data Protection Regulation and the other is the Council Directive "on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection". You have an equivalent (referenced in the EU) from the NIST.

    The fundamental change, and that answers your question, is that violations of these laws, and especially data breaches or other infosec events that could have been prevented with proper security, now carry massive fines. Let me quantify "massive":

    â20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater

    The magic bullet is the 4% rule. It refers to global revenue, and it refers to corporate revenue - no more reducing risk by seperating your corporation into tiny "independent" companies. If a five-person subsidary of Facebook suffers a severe data breach, the fine can be $ 345 million.

    Also, the law puts the legal liability to top-level management. That is the second magic bullet. Put CEOs and directors on the front line. Unless they can demonstrate that they took steps to comply to the technical and organisational requirements, they could go to jail. Now that gets top-level management moving.

    So the simple answer is: Hit them where it hurts. Money and personal liability. Take away the corporate shield and diffusion.

    Disclaimer: I do this stuff for a living. We are currently being drowned in projects to implement ISMSs and the GDPR is a main driver behind that.

    ---

    Addendum: This gets you basic security levels. As soon as the risk management labels the residual risk as acceptable, that's it. My personal opinion is that our security is still shoddy at those levels, and the main reason we're not all dead is that most hackers are imbeciles and the only reason they can make a living with their laughable hacking skills is that security is such a joke. For illustration, look at the typical spam / phishing mails you get. Who would fall for that shit full of spelling errors, grammar mistake and my-blind-grandma-could-spot-this forgery? The answer is: If you send it to enough people, you will find enough idiots who do.

    Once we have a basic security level across the board, the game will change. Lots of "hackers" will have to go back serving burgers and fries, but those with any actual skills will step up their game. And then we'll be in a world of hurt. There'll be an Equifax every month. My daily rate will probably skyrocket because supply and demand, but I'm still not looking forward to that.

    If you are serious about security, as the saying goes you don't have to run faster than the bear, only faster than your friends. But don't walk just because they do. Start running now, because once they are eaten, you have to run faster than the bear.

    --
    Assorted stuff I do sometimes: Lemuria.org
  19. Re: Let the CFO run IT by Billly+Gates · · Score: 2

    No that is the problem IT supposed to be part of the organization. Only last decade had this changed as IT was involved with business processing and critical operations. If IT is not qualified to handle security then who is??

    IT NEEDS to be advised to and part of the process or you end up with a nightmare like this. How much money do you think that airhead marketing manager makes in that video and how successful do you think that new website in that video linked above will be?

    Hell the poor IT web developer can't even email the VP about the requirements without being fired. The VP could have saved alot of money by firing the 6 figure airhead and work with the web developer to get it done with a proper budget.

    If you treat them like janitors you risk disaster. I for one worked for companies where they wanted 1 months worth of work in 3 weeks or else we will get an Indian etc. Guess what? Projects failed.

    If IT is respected again and not freaking outsourced for pennies on the dollar and part of the organization just like HR, Sales, Marketing, Finance, etc then you will get a CIO who is qualified to handle security.

    --
    http://saveie6.com/
  20. Traceability by Anonymous+Brave+Guy · · Score: 2

    The problem, from a public awareness point of view, is that there is little traceability even when something bad happens.

    The effect may be that you spend several months trying to regain control of your identity and you never fully recover all of the money that "you" spent.

    The cause may be that one big organisation leaked enough of your personal information to let the identity thief succeed in convincing several other big organisations that they were you.

    All of those organisations are demonstrably at fault, but unless the victims can actually join the dots, neither they nor anyone else (governments, media, future potential victims) are going to hold the responsible organisations accountable.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  21. Re: Stop relying on them by netizen_james · · Score: 2
    /. You can't stop credit bureaus et al from Hoovering up your data and reselling. ./

    .

    Sure you can. Never apply for any credit. Never borrow any money from a bank. Never use electronic payments of any kind. Always buy everything with cash in face-to-face transactions. Don't work for anyone who refuses to pay you in cash in a face-to-face transaction. Don't waive your privacy in order to get a job - don't work for an employer who participates with TALX in providing salary and employment information.

    . If you have no electronic 'footprint', there won't be anything for them to 'hoover up'. Of course, then you wouldn't be here on slash-dot.... And good luck finding an ISP that you can pay with cash. Hard enough finding one that takes cheques....