Gary Varga (2/25/2014)
We should be doing the right things and be seen to be doing them. Except for a possible small number of exceptions, I would hazard a guess that the majority of hackers are either criminals or cyber-vandals. As such I would expect both groups to be more interested in easier targets (no pun intended). Criminals will want to maximise their gains from low risk/low effort activities whilst cyber-vandals are more likely to be interested in high profile results possibly without serious amounts of talent.This is the classic scenario of not necessarily being able to make the situation impossible rather than make it difficult to a level that there are easier targets available.
Also by taking the appropriate steps then stakeholders should attain a level of reasonable confidence. It may also provide evidence that due diligence was performed in a more legal setting.
It does not appear that Target was that easy. They did not hit Target directly, they hit the third party card readers, gaining access through another third party (HVAC system maintenance). They used a RAM scraper to grab info during the short time while it was not (could not be) encrypted.
The point I see from this is that there are, and will ALWAYS be attack points that are outside of your control. To paraphrase the old STD public health warnings, it's not just your vendors and customers to worry about, but all of their vendors and customers as well.
I find it absurd, though, that the government is threatening more legal sanctions for security leaks when they can't even keep their own house in order (NSA anyone?)
...
-- FORTRAN manual for Xerox Computers --