Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response



--On January 9, 2012 10:34:40 AM -0800 Bob Dobbs <bobd10937@xxxxxxxxx>
wrote:

On Sat, Jan 7, 2012 at 5:42 PM, <Valdis.Kletnieks@xxxxxx> wrote:


It matters a lot less than you think.  Go look at Sony's stock price
while they
were having their security issues - it was already sliding *before* PSN
got hacked,
but continued sliding at the *exact same rate* for several months, with
no visible



Indeed. It is surprising to me that customers don't care more about this
than they do. But the customer, in the end, doesn't seem particularly
concerned about their personal data. If they did they would stop buying,
revenue would fall, and stock price would fall.


Or, they don't understand the ramifications of the exposure to them
personally. (I've been watching my bill for months, and i haven't seen any
unauthorized charges. This must not have affected me personally.) Or they
never even hear about it to begin with. (We in IT and Security assume that
"everyone" knows about breaches. Nothing could be further from the truth,
even in the most publicized of cases.)


As high priority as the IT Sec people usually think it should be, or as
high
priority as a cold hard-line analysis of business cost/benefts says it
should
be?  IT people tend to be *really* bad at estimating actual bottom-line
costs.

I can perfectly understand the cold rationalizing of ROI on issues of
security expense. I am much less forgiving of companies who constantly
say (and they all do) that they take great care with your data, won't
share it with anyone else, implement great security, etc. Then they are
owned by some stupid means such as a flawed and out of date
Internet-facing webapp and proven to be liars.


Yeah, but you can always blame some low level person for not following
policy, right? IOW, they had the right policy in place, but they didn't
have good procedures for ensuring that the policy was being rigorously
followed. Auditing wasn't as robust as it should have been, so it didn't
find the edge case that brought the whole system down.

I wish there were far more punitive punishments for customers to pursue
to help shift the ROI towards providing more security.


Except it wouldn't. It would simply raise the cost of the product to the
consumer. Corporations that get "taught lessons" by large fines, simply
pass that cost on to the consumer. They seldom learn as much as you think
they might or should have

There's a gap between policy and procedures and between procedures and
auditing. There are always edge cases that fall outside the purview of the
watchers and escape detection until something bad happens. Technology is
getting better at discovering those gaps, but they will always exist.

For example. Recently a Columbia researcher discovered a way to use an HP
printer to hack into an enterprise and compromise internal assets. A good
security person would have already anticipated the risk and remediated it.
(We moved all our printers to private IPs about 10 years ago for that very
reason.) But many people didn't give it much thought at all. (After all,
who's going to hack a printer? It doesn't really gain you much.)

The same thing was true, back in the old days, of DNS hosts with vulnerable
versions of sendmail installed. "No one" ever thought they might be used
as spam relays - until someone did - and standard install procedures didn't
disable or secure sendmail because that wasn't the purpose of the box.

That's just human nature.

The really secure places plan ahead for such things, routinely check for
out of compliance conditions, and enforce an environment where things are
"done right" all the time.

Very few such places exist.

--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Fwd: Oh Dear, Where to start?!
    ... It seems to me you need two things: an organizational policy, ... finish college and break into the real world of computer security. ... experience in the field of network security and policy ... updates, driver updates, and recommended updates. ...
    (Security-Basics)
  • RE: [fw-wiz] PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts?
    ... All NetScreen appliances rely on custom-designed ASICs (Application ... Specific Integrated Circuits) for security policy enforcement. ... supports a finite number of "rules" or "policies". ...
    (Firewall-Wizards)
  • RE: Cant set Local Security policies. They fail to save
    ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
    (microsoft.public.windows.server.sbs)
  • Re: No Shut Down or Restart for Domain Admins
    ... run rsop.msc from your DC and check which policy is responsible to this. ... I have created a group policy in a development network and imported it ... NT AUTHORITY\Authenticated Users Read (from Security Filtering) No ... Enforce user logon restrictions Enabled ...
    (microsoft.public.windows.server.active_directory)
  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... Server Security and Auditing Policy ... This list only includes links in the domain of the GPO. ... The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)