Spend More on Security

  • Comments posted to this topic are about the item Spend More on Security

  • The problem is more tricky than code fixes.

    Many breaches are caused by social engineering. Others are caused by third, fourth or fifth parties. Some are caused by bugs in application libraries that we have no access to. And even the coding errors are frequently obscure, found by very motivated, resourceful and smart individuals (to compare, fire doesn't change tactics over the years, fire safety can be handled by static rules). Raising legal costs probably won't eliminate it, any more than attempting to eliminate automobile accidents raising punishments for those at fault.. Our own military and government agencies have been hacked, so I'm not sure they're in a position to define security.

    Interestingly, the hotel hack appears to NOT have been a normal criminal activity. The account information has not appeared on the black market, nothing seems to have happened with the credit card information. The theory I've heard is that it appears the attackers were after passport and travel info which can be an opening for social engineering attacks on executives and government officials ("Hi, do you remember me, we met at the engnineering conference in Barcelona last month"). If that's true, this is a nation state job, operating at a level that most IT departments are not prepared to match.

    ...

    -- FORTRAN manual for Xerox Computers --

  • IMO until the liability landscape shifts toward making collectors of data responsible and accountable for data leaks nothing will change. They won't spend more money because it is foolish to. It is cheaper for them to just do what they do now: say they got caught with their pants down, are very sorry, and buy people credit monitoring services. 

    I too wish security was more of an emphasis but I cannot see change unless liability is impacted. How to do that is always the tricky thing. It could be something like what the EU has with GDPR. It could be a change in civil lawsuits so people can sue for damages, it could be increased regulation and standards enforcement. Hard to say which is best.

    Lastly - there are some rare cases where there's not much more the company could have reasonably done to prevent a breach. I know, I know, most leaks are due to poor security and practices. However, in cases where it is unreasonable to blame them (like a nation state attack or something) it becomes a different story. Not so easy....

  • Of course we should ask any entity that collects our data to be accountable for it, but imho we also need to accept and internalize that:

    1. Our sensitive data will get out into the world. It is just a matter of time. Whether it is because of any given company's lax security policy, or malicious actions by internal/external personnel, or intentional selling of user data without approval (*cough* Facebook *cough*).

    2. We individually need to own some part of keeping our data safe, or implementing processes that won't hurt us too badly when our data gets out. This includes, among other things:
    - Locking our credit reports
    - Not using the same password on more than one site
    - Not using the same credit card number on more than one site (the one I use allows me to create unlimited virtual numbers, so I create a new one for each website I do business with; there are 3rd party providers that will also do this for you), so if one site is hacked you don't have to change it everywhere else.

    Hakim Ali
    www.sqlzen.com

  • hakim.ali - Thursday, December 20, 2018 8:12 AM

    Of course we should ask any entity that collects our data to be accountable for it, but imho we also need to accept and internalize that:

    1. Our sensitive data will get out into the world. It is just a matter of time. Whether it is because of any given company's lax security policy, or malicious actions by internal/external personnel, or intentional selling of user data without approval (*cough* Facebook *cough*).

    2. We individually need to own some part of keeping our data safe, or implementing processes that won't hurt us too badly when our data gets out. This includes, among other things:
    - Locking our credit reports
    - Not using the same password on more than one site
    - Not using the same credit card number on more than one site (the one I use allows me to create unlimited virtual numbers, so I create a new one for each website I do business with; there are 3rd party providers that will also do this for you), so if one site is hacked you don't have to change it everywhere else.

    Agreed. No amount of regulation will really stop eventual leakage, just as strict laws do not eliminate auto crashes. That's why we have airbags, seatbelts and ambulance services... to reduce the damage when the inevitable happens.

    But things can be done at the user level and the payment level. Outfits like Facebook have no interest in restricting your information, as compared to a normal business which has a commercial interest in NOT sharing their customer list. One thing that would help is the ability to generate a crypto key to lock a credit cart to a single vendor. Hence any theft of the CC information would be useless anywhere else, but still provides the convenience of reorder from the legitimate vendor.

    Also we should NOT be using biological ID (especially over the net) orother not readily changeable information (birth, SS, family etc). All identification should be quickly and effectively cancelable.

    ...

    -- FORTRAN manual for Xerox Computers --

  • One thing that most all data breaches have in common is that it involves data access patterns that are not typical. The hacker must poke around, exploring for vulnerabilities, and then download protected data in bulk. There are monitoring tools that can help detect and block that type of thing.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply