Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Why Perimeter Defenses Are No Longer Enough
Newest First  |  Oldest First  |  Threaded View
jjthomps
jjthomps,
 User Rank: Apprentice
5/5/2014 | 11:03:39 AM
Re: Pivotal moment for "due care"
"...proof that internal policies were followed" <- exactly. My guess here is that Target had a policy that stated something like "... events categorized as X,Y,Z are escalated according to table A, with the following SLA's in table B."

Was their policy and supporting proceedures designed that way? If so, did they follow their defined process? If not, then what? Is the standard of due care in following the process as DESIGNED? In tests of operating effectiveness, Target "passed" for PCI, either their auditor did not properly test the controls, ignored residual risk issues, or that they reported on these issues and Target ignored the feedback. PCI does not do a good job forcing assessors to consider residual risk (the way accounting firms have to). Even if they did, then allowing QSACs and P's to opine on residual risk would be a mismatch in skills to activity being expected of the QSAPs.

Going back to design, what if the process and controls are not designed correctly, then who is responsible for determining that and what impact would that finding have? Right now the consumer and AG's are the option for accountability as there is no regulatory function in place to adequately manage this situation when it comes to consumer protection. 
Bprince
Bprince,
 User Rank: Ninja
5/5/2014 | 1:13:02 AM
Re: Pivotal moment for "due care"
Seems like the bare minimum of due care would be compliance standards and proof that internal policies were followed. But does there need to be more, since as the Businessweek article points out there were signs that were missed? What if your internal policies aren't strong enough to prevent a breach? Should there be a law that says if alert X is triggered due to an unuauthorized act and an organization doesn't take action Y to remediate it they are liable? That could be very difficult to do right.  

 
jjthomps
jjthomps,
 User Rank: Apprentice
5/2/2014 | 6:43:58 PM
Re: Pivotal moment for "due care"
Marilyn,

When I said "that would shape precedent, case law", I was saying that the pending legislation against Target, and the resultant decisions by the court, will shape case law moving forward about standards of due care and negligence. Please see case 14-CV-2069 Trustmark National Bank v. Target and Trustwave. As this is pending, we need to wait and see the outcome as well as the other suits being filed by state AG's. 
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
5/2/2014 | 4:54:30 PM
Pivotal moment for "due care"
Thanks for the blog , J.J. I'm curious to learn more about the legal precedent you mention. Is there litigation pending against Target based on the due care standard? 


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-38193
PUBLISHED: 2022-08-16
There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass strings which could potentially cause arbitrary code execution in a victims browser.
CVE-2022-38194
PUBLISHED: 2022-08-16
In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file.
CVE-2022-38192
PUBLISHED: 2022-08-16
A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS may allow a remote, authenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user&Atilde;&cent;&acirc;&sbquo;&not;&acirc;&b...
CVE-2022-38362
PUBLISHED: 2022-08-16
Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.
CVE-2022-30264
PUBLISHED: 2022-08-16
The Emerson ROC and FloBoss RTU product lines through 2022-05-02 perform insecure filesystem operations. They utilize the ROC protocol (4000/TCP, 5000/TCP) for communications between a master terminal and RTUs. Opcode 203 of this protocol allows a master terminal to transfer files to and from the fl...