Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Recruit, Reward & Retain Cybersecurity Experts
Oldest First  |  Newest First  |  Threaded View
ODA155
50%
50%
ODA155,
User Rank: Ninja
1/20/2015 | 1:01:30 PM
I have a fourth idea!
Idea 4. Send somebody to jail. SOMEBODY is responsible for the decisions that ultimatly led to what we saw in 2014... and before. Speaking as a 13 year security proffesional, I would love to see that happen if only once.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
1/21/2015 | 3:53:55 PM
Re: I have a fourth idea!
Idea 5. If the breach is a direct result of a bad decision, make that decision maker pay $$$. Although this is highly unlikely, just like ODA155, I would love to see that happen once.
CarricDooley
50%
50%
CarricDooley,
User Rank: Apprentice
1/22/2015 | 11:32:55 AM
Re: I have a fourth idea!

I'll use a Risk Mgt analogy I like to share with clients:

At 42, 350 lbs, and 15+ years of a sedentary lifestyle, Biff has a big fat heart attack.  Realizing that his life choices have created this situation, and he doesn't want to leave his wife and kids behind, he gets on a program to get back down to 210. His lipids and blood pressure are AWESOME, and Biff looks like $1m! On his way from the CrossFit gym one day, Biff is tragically hit and killed by speeding submarine. 

Who's at fault, and who do we send to jail?  The submariner may have even had malicious intent, but he's Syrian, and was driving remote control (hence how the submarine got on the highway in the first place).

Biff, in this case, was doing everything he could to improve his odds, but his luck ran out.  Should we pin this on him?

And honestly – yes, most of us aren't like Biff.  We are still ordering the "4x4 animal style" at the local In & Out, and rushing back home with chocolate shake in-tow, ignoring the potential consequences, but I don't think "poor dietary choice/security" should necessarily be illegal.  How often does the CISO even get to call the shots?  He's a little like Spiderman, except he gets the responsibility with very little power...

ODA155
50%
50%
ODA155,
User Rank: Ninja
1/22/2015 | 1:27:35 PM
Re: I have a fourth idea!
@CarricDooley... It would sure suck to be Biff, and maybe someone should have to explain to his family how he got hit by a submarine while on the highway, heck, living here in Minnesota I can tell that I have seen some weird stuff on the highway, no subs, at least not yet.

But my problem with how the decisions are made is the actual "HOW" part, Risk Analysis and Cost Benefit Analysis and while they both have their valid uses I believe they are being misused in the attempt to save money and or time. Too often these large corporations are worried about the bottom line and who might or who can sue them, but while they can and ofte do win most of their cases or settle out of court, what happens to their reputation?

When you look at some of the data breaches that happened last year, true enoughwe really do not know the true cause and we probably never will unless insiders tell the story, but when you hear about HOW Target was hacked or J.P. Morgan Chase, NOAA, Public School systems, NVIDIA, SONY, hospitals and other health related organizations, carwashes and other companies that use PCAnywhere for remote access with the default passwords hard coded, Jimmy Johns' because their were using POS equipment that should not have been used and their QSA was on a blacklist... some of them happened because of bad administrative\technical management, warnings that were ignored. Somebody made those decisions that cost real people money, but those real people and their money are not figured into those Risk Analysis and Cost Benefit Analysis.

So yeah, I'd like to see the responsibility placed at the feet of whoever that person is, if it's the CISO because he's not trying hard enough or the higher level folks who took that decision away from the CISO, or like Target (even though what they did was a cop out) did, they fired the top IT person, who when you look at her qualifications it can be argued she probably shouldn't have that job in the first place.

But in the end when that Risk Analysis or Cost Benefit Analysis is done, and the number work a certain way... is it worth the reputation of your company to to save the money versus doing what's right? If it's a publicaly traded company I already know the answer to that.
CarricDooley
50%
50%
CarricDooley,
User Rank: Apprentice
1/22/2015 | 7:30:51 PM
Re: I have a fourth idea!

I would argue that the CISO often DOES pay - with his job. (A friend of mine once told me CISO actually stands for "career is so over"). 

As to the "cost benefit analysis of security", business is all about cost/benefit analysis. Should we get into building personal submarines? What will that require in terms of capex/opex? What are the risks? How do we keep them off Minnesota highways?

So, Infosec is hard to get right and largely misunderstood. It's also viewed as a "necessary evil", so yeah, most companies want to get away with spending as little as possible on it, and to most non-security geeks, it's "just another cost". The world is a fabric of compromise - nothing is ever ideal. A penny saved...

I had a fascinating chat with one of our clients recently that his efforts to improve his Secure SDLC process have netted savings in reduced bugs and better quality code due to how they addressed it. They educated their devs, and it has resulted in better apps as a bi-product of an effort to secure the environment.  Huzzah! 

I have seen cases where we presented a cleaning procedure for 23 infected servers, that rapidly became 17 servers when 6 were suddenly deemed non-critical and could just be turned off. While thoughtfully stroking my beard, I asked the secops lead the following: "You have like 30k servers, right? What if you could turn off 7k of them tomorrow?"  It's an unrealistic extrapolation, but illustrated my point.  Sometimes, doing things more securely could have long term savings ramifications (reduced power, cooling, rack space... Oh yeah! And attack surface).

That is what most people do not realize because they have never seen it (nor will they if they don't measure what they do). And who measures the positive impact of the security program on the business? We buy stuff - we deploy it. We MUST be more secure, right?

I get the outrage of having someone make bad  decisions that affect innocent customers and investors (the company also suffers for poor business decisions, btw, and I have seen the suffering of the IT team first-hand during a post-breach panicked recovery. But I would also say: "it depends on the circumstances", and I think the law does step in when its egregious negligence. But I'm not sure doing a blanket "go to jail for doing a bad job" is wise either. That has a high potential to get out of control. 



Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24368
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.