water is wet.
water is wet.
Ever since you did, you have been blowing something up almost monthly with your updates.
The $200k figure is internalized costs; the cost of providing free credit protection to those affected (which almost noone takes them up on), and investigators to figure out what was breached, how, by whom, and to maybe patch the hole they got in through.
This is a good point about the PR stunt of credit protection. What a joke.
The externalized amount, the burden on those whose data was stolen, is far greater.
Also a really good point. Until someone class actions up on a few of these companies we're going to see IT security continue to race to the bottom just like everything else in this industry.
Having tried the preventive approach on computer security for years, I came to the reluctant conclusion that it's a losing game. In every business scenario I've dealt with, it is simply impossible to protect against every threat and every zero-day exploit that comes down the pipe. Software patching, firewalls, antivirus, specialized appliances, you name it - they all have their limitations. You can protect against any number of possible exploits, but if only one gets through, you lose. So businesses must weight the costs spending more and more on preventive security solutions versus the cost of a security breach.
Obviously the implications of a breach are more severe for some businesses than others, but in many cases I deal with it makes more sense to focus on a good recovery solution rather than focussing mainly on prevention.
You're exactly right. The first thing that I tell people about computer system security is that there is no such thing.
As you said, in computer security when you're on the defense -- you lose. All you can do is raise the bar as high as you can with the budget and resources given to you, and then you plan for recovery with the expectation you'll need to at some time. Security is risk mitigation and nothing more.
I think the issue here is that when people are having their information compromised in a widely publicized manner every few months it becomes accepted. So the "cost" to these companies is going down as far as reputation and possibly lawsuits as well. They shouldn't be getting off this easily but really.. no one seems to care. Until they go to take out that new car loan and find out their identity has been jacked and they are going to spend the next few years trying to clear up their credit score, that is..
Once you take the profit motive out and allow centrally planned offices to remove the research redundancy and the creativity of committees to combine in these controlled ways
Don't forget the importance of having everyone on the engineering team educated in public institutions.
What a load of shit.
There can be bad management in private organizations just like there is bad management in public organizations.
And if we're talking about research and development, the public always does the bulk of pure research anyways..
So the circle-jerk can stop.
Please, let me know when you are aware of a "Capitalist" system?
Because what we have ISN'T CAPITALISM.
Think about it:
- the subprime crisis happened for a number of reasons, but one of the primary ones was that 3 rating agencies have had the blessing in federal law since what, the 1920s(?) to be the "official" rating companies. Without that benediction, investors would have to actually scour the marketplace for reliable sources of information which would THEMSELVES be proven by market-testing over time.
- rather than have an FDA telling us all what to eat and what not to eat (which is apparently entirely bought and paid for by corporate interests) people would have to actually figure it.
The question is, which is better: a central "authority" that is corruptible and can be co-opted, or NO authority, forcing people to figure shit out for themselves?
There are obviously terrible ideas.
Agencies like the FDA were created in the first place because when these things were not regulated and vetted products were being sold that lied in their claims / ingredients / safety.
Not everyone has the time, education and/or equipment to test all the things that they use in day to day life themselves.. don't be absurd.
I've been wondering if Capitalism is fatally flawed. We've seen reckless, foolish greed destroy lives time and time again. It seems capitalism elevates psychopathic individuals to positions of great power and responsibility. Of course people of that sort abuse their power. Strip resources from everything within reach, leaving behind waste and destruction.
Unregulated capitalism is the wild west. That is why you need a government and regulatory oversight to correct problems that arise.
The really big problem is regulatory capture and the money in politics that removes these checks.. which is what we have right now. A run-away train.
This has always been the case.
Unfortunately, most companies treat information security as an IT task instead of a company wide mindset.
In the push and pull of security vs. convenience IT generally loses.. but they *do* get to take the blame once things go wrong.
every time nuclear power is touted as the end all be all solution going forward (by people here and on other sites), I shake my head.
I know that the technical problems have all been solved and we have breeder reactors and everything is unicorns and rainbows.. until you involve people and the dollars and cents.
Then corners get cut, the technical people aren't listened to, and we deal with enormous costs (transferred to the public) and with the possibility of radioactivity for thousands of years.
Unions raise wages at first. The dark side that they don't tell you about is that this causes the companies to try to find other ways to cut costs, and eventually leads to the jobs moving overseas.
Aren't they doing that every chance they get already?
Just like with their foothold in the enterprise for Office 365 via existing customer base using Active Directory and Exchange, I assume many of their Azure customers they got the same way, whereas AWS didn't have that advantage.
I see MS overtaking Amazon for this reason.
Using Office 365 / Azure AD is a natural extension of what many companies are already using at the enterprise level.
Add in Skype and cloud PBX and you can run a lot of businesses right out of their cloud service on demand and without a capital cost..
This is all true but password changes do reveal password compromises.
And having compromised tomat001 they can go straight onto guessing tomat002.
Really, why don't banks force everyone to change the PIN on their cards every month?
Obviously, reasonable password policies don't allow you to do that.
Some of these questionable policies are driven by business regulations and auditors. If you're going through a PCI or Sarbanes-Oxley certification process you're going to have to get all of those checkboxes marked on the auditors' spreadsheets, whether or not they make sense.
Good luck trying to get the auditor to explain why you need to change your passwords every 90 days, in my experience they can't defend their requirements and simply say things like it's "best practice".
It is only to limit how long a compromised password can be used without being noticed.
Policies that require frequent password changes lead me to:
- pick easy to remember (and therefor easy to guess) passwords
- restrict the character space I use in passwords, e.g. when special characters are required I pick from only 2 special chars.
- Reuse passwords. I have about 20 different password-protected accounts for work, all are changed every 90 days, except the one system where the requirement is 60 days. That's over 80 passwords per year. As a result I use 1 password internal systems and 1 for external, so at any time there are only 2 passwords I need to remember.
- Write down passwords. Sometimes it seems as if just as I'm getting to the point where a password is really ingrained, where I can get it on the first try even before caffeine, it's time to replace it with a new password. So you better believe I write them down.
Frequently changing passwords exclude adherence to most other security good practices.
This is all true but password changes do reveal password compromises.
APL hackers do it in the quad.