Slashdot Mirror
Ask Slashdot: What Are Ways To Get Companies To Actually Focus On Security?
New submitter ctilsie242 writes: Many years ago, it was said that we would have a "cyber 9/11," a security event so drastic that it fundamentally would change how companies and people thought about security. However, this has not happened yet (mainly because the bad guys know that this would get organizations to shut their barn doors, stopping the gravy train.) With the perception that security has no financial returns, coupled with the opinion that "nobody can stop the hackers, so why even bother," what can actually be done to get businesses to have an actual focus on security. The only "security" I see is mainly protection from "jailbreaking," so legal owners of a product can't use or upgrade their devices. True security from other attack vectors are all but ignored. In fact, I have seen some development environments where someone doing anything about security would likely get the developer fired because it took time away from coding features dictated by marketing. I've seen environments where all code ran as root or System just because if the developers gave thought to any permission model at all, they would be tossed, and replaced by other developers who didn't care to "waste" their time on stuff like that.
One idea would be something similar to Underwriters Labs, except would grade products, perhaps with expanded standards above the "pass/fail" mark, such as Europe's "Sold Secure," or the "insurance lock" certification (which means that a security device is good enough for insurance companies to insure stuff secured by it.) There are always calls for regulation, but with regulatory capture being at a high point, and previous regulations having few teeth, this may not be a real solution in the U.S. Is our main hope the new data privacy laws being enacted in Europe, China, and Russia, which actually have heavy fines as well as criminal prosecutions (i.e. execs going to jail)? This especially applies to IoT devices where it is in their financial interest to make un-upgradable devices, forcing people to toss their 1.0 lightbulbs and buy 1.0.1 lightbulbs to fix a security issue, as opposed to making them secure in the first place, or having an upgrade mechanism. Is there something that can actually be done about the general disinterest by companies to make secure products, or is this just the way life is now?
One idea would be something similar to Underwriters Labs, except would grade products, perhaps with expanded standards above the "pass/fail" mark, such as Europe's "Sold Secure," or the "insurance lock" certification (which means that a security device is good enough for insurance companies to insure stuff secured by it.) There are always calls for regulation, but with regulatory capture being at a high point, and previous regulations having few teeth, this may not be a real solution in the U.S. Is our main hope the new data privacy laws being enacted in Europe, China, and Russia, which actually have heavy fines as well as criminal prosecutions (i.e. execs going to jail)? This especially applies to IoT devices where it is in their financial interest to make un-upgradable devices, forcing people to toss their 1.0 lightbulbs and buy 1.0.1 lightbulbs to fix a security issue, as opposed to making them secure in the first place, or having an upgrade mechanism. Is there something that can actually be done about the general disinterest by companies to make secure products, or is this just the way life is now?
Actually many of them don't do much after a breach either.
Insurance translates risk into dollars into quarterly financials.
Moral of the story: start training for a job as an actuary.
Features are what counts. The more features software has, the better it is. And add more layers, because abstraction and indirection are good. And most importantly, make it bigger and more complex because everyone knows that code is good so the more code the better.
Eventually not even the hackers will understand it and we will all be safe.
"This especially applies to IoT devices where it is in their financial interest to make un-upgradable devices, forcing people to toss their 1.0 lightbulbs and buy 1.0.1 lightbulbs to fix a security issue, as opposed to making them secure in the first place, or having an upgrade mechanism."
It's actually more complicated than this. You need to factor in the customer.
The vast majority of customers for above-mentioned devices are "IT security-impaired". In layman's terms, they have no fucking clue (I don't blame them by saying this, it's just the way things are). So they vote with their wallet.
If company A is very security-focused and produces aLightbulb with upgradeable firmware and active development for said firmware, but company B doesn't give a shit, you will end up with bLightbulb which costs 10 times less than aLightbulb. Guess which company would go out of business?
IoT is filled to the brim with customers looking for the cheaper alternative, and security isn't a driving factor to motivate them to buy the more expensive product. Getting companies to agree on a security standard? Good luck with that, there's always going to be the profit-oriented company willing to sell their lightbulbs 15% cheaper, and have them cost 4 times less, undercutting and eventually buying off competition.
Not saying I agree with how things are, but then again, it's how they are.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
When you drive a car, the law requires you to have insurance, because you can do a lot of damage to others you won't be able to pay for if it happens.
The idea here is to impose heavy damages in case of a breach and require companies to be insured to some amount. The insurance requirement is a way to prevent companies from just taking chances and get away with bankruptcy if bad things happen.
Another advantage is that insurance companies don't want their customers to get hacked so that they can offer attractive prices and make profit. As a result, they will make sure that security best practices are implemented in the same way that theft insurance require certain locks.
To sum up, with mandatory insurance :
- Hacked users will be compensated
- Insurance companies will have real financial incentives to find ways of making things more secure
- Insured companies will do their best to implement best practice as it will most likely lower their premiums. The worst may not be able to get insured at all and risk legal sanctions even before the inevitable hack happens
If a company doesn't pay attention to security, run in the other direction.
How do you know which companies are paying attention? Also, how does one "run" from Equifax? You are in their DB, whether you choose to be or not.
Them, first. The amount I gave is quite high and could be lower, but that's sort of how fines (should) work: If you set a fine that is under the profit margin for the complicit activity, then the fine is just accepted as a part of the business (because the underhanded tactic still pays out more overall than compliance would.) Equifax is not losing corporate business AFAIK and is even getting some returns from credit monitoring services that have seen a spike of enrollments, so unless the fallout lands on them they'll happily ignore the reality many people are now in, in deference to the next quarter.
I would be satisfied with Equifax completely shutting down, so let's agree to lower it to only $100/person and they can implode slightly less. I don't believe we have any sort of "execution" laws for corporate charters in this country, but more than a few really should have been and Equifax joins this prestigious group.
A key problem is that the IT industry lacks useful metrics. For instance:
- We have Big O notation, but the compiler doesn't automatically detect algorithmic complexity. As such, no one can easily tell if you have written a program (algorithm) that scales well, or scales poorly. This is a big problem for non-trivial pieces of code, because it is very easy to include an O(n^2) library function in a "tight" O(n^2) loop.
- Memory management is so well hidden in modern environments, that it is often impossible to tell how efficiently memory is used. It's a variation on the Big O notation problem. Thus, memory usage in a large framework (C# or Java) can obscure memory leaks and O(n^2) memory usage problems, until n becomes sufficiently large (in full production).
- What metric measures security? Security doesn't even have the benefit of Big O notation.
- In a big program, it is often not even possible to tell what code paths are actually being used. Run-time profiling helps a great deal, however there are privacy issues.
- There is an entire landmine about programs including interpreters (compilers) to execute user generated code block. For a program of sufficient size, it is necessary to do this. However, it is a security nightmare. How do you even tell, in the context of a large application, if it is possible for someone with normal use rights to execute malicious code?
- Almost every programming resume claims that the person is proficient in HTML, Java, and C++. How do you tell which programmers are good? In the context of a given project, what does good mean anyway?
Some metrics are present in software, but they are often ridiculed:
- # of lines of code
- Execution time. Specifically, execution time does not matter if the task is sufficiently fast that no one cares. If you have a Big O notation scaling problem, it is often possible to ship software and someone not notice until it is in production.
Many other industries have methods of measuring quality and suitability. Software, it exists, but not in an easy to use, obvious and mature form.
We shouldn't punish leaks, we should punish bad security. Heartbleed was unpredictable. There's a difference between unpatched WPA2 today and one week ago.
Your ad here. Ask me how!
"So, Randolph Q. Chairman — can I call you Randy? — Randy, every time a customer's data is stolen from your company's database, Boris here is going to cut you in half with his machete. Is that what you want, Randy? Hm?"
Nothing posted to