June 22, 2011 at 8:15 am
I like what PSN had to do recently. They had to take out 1,000,000.oo in identity theft insurance for every customer that might have been affected by thier breech.
I think this should be the new standard.
Then the incentive would be for the insurance companies to hack the networks to drive up business.
I bet that would usher in a very prosperous era of Corporate Security updates.
June 22, 2011 at 8:17 am
Eric M Russell (6/22/2011)
For example, building codes specify how plumbing should be installed and what type of pipe materials are allowed. Thank you. The FDA bans certain medical procedures that proven ineffective and high risk. Thank you again.
I think this could be somewhat effective but with the speed at which coding practices change I'm not sure how effective it'll be in the end. Plumbing and surgery are relatively slow changers but there are certainly some things that could be done. Auditing this would be another problem. Whereas for building changes you need a building permit, at least in some areas, you don't when deploying an application change. And I don't think anyone wants to go down that road.
Eric M Russell (6/22/2011)
Citibank hacked. By changing account numbers. In the URL -
Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser's address bar...
http://channel9.msdn.com/Forums/Coffeehouse/Citibank-hacked-By-changing-account-numbers-In-the-URL
I wouldn't assume that major news outlets would release all the details of a hack, just what the public is likely to recognize. I'm not sure about the reputation of what I'm linking to below but it is at least a security focused site so I trust it more to give more detail and all it adds is that changing the URL was scripted.
June 22, 2011 at 8:28 am
Boy, Steve, you nailed this one! I work in an industry closely related to healthcare (it isn't really, but there are similarities), and our budget is shrinking constantly (20% this coming fiscal year alone!). I worry constantly about how to satisfy regulatory requirements, with almost nothing to go on.
Kindest Regards, Rod Connect with me on LinkedIn.
June 22, 2011 at 8:30 am
blandry (6/22/2011)
Think about it - there used to be a company called Arthur Andersen. During the Enron debacle they lied, shredded documents and a number of their staff were caught, sent to jail, slapped with huge fines, and it all brought down the company (which re-emerged later as Accenture). But they don't do the "Enron" shuffle anymore. They learned a lesson.Catch a few hackers, put them away for a very long time, and make it as public as possible. Do that and you would see a huge drop in hacking.
Correction, the Arthur Andersen that was involved in Enron and shut down did not turn into Accenture. That was Andersen Consulting, which had split from Arthur Andersen, CPA's before the scandal because the consulting arm was tired of subsidizing the accountants.
The problem with trying to jail the hackers is that a significant portion of them aren't actually present in the US, and are largely untouchable by the legal system.
I would be happy to have regulations that require immediate disclosure of data breaches, indemnities for affected customers, and fines and jail time for failing to follow the regulations. Putting CEO's on notice that they are subject to jail tends to get policies in place quickly.
June 22, 2011 at 9:52 am
Good comments, and a heated debate, and please try to remain courteous to others.
@djackson 22568 - Great points about the fines going to government. That's not a solution. Perhaps a better one is a requirement for insurance (as pointed out by @SanDroid) and class action status for those affected. Course, I'd like to reform and limit lawyers fees from class actions, but that's another topic.
It's also easy to say "close your account and move on", but the reality is that is not easy (you might have a mortgage) and I would bet many banks have security issues. So if that's the case, what do you do? Some accountability is needed, and unfortunately it's not coming from executives.
@SanDroid - You are on par with the fact that jailing hackers is hard, done inappropriately, and isn't necessarily solving the problem. We should pursue them, but also perhaps hold some accountability from executives. Not sure how here, maybe cancel their insurance and link bonus payments to insurance?
To others, it's easy to call for regulation on code/standards, just like in other industries, like building. The problem is that not only is it hard to decide what is the standard. If someone discovered XSS tomorrow (I know it's out there), when do we require it? When is an MD5 hash of your credentials not acceptable and when do things need to change. I agree that we need some bar to be set, either through regulation (Ugh!) or insurance requirements (better), but what is that bar and what is the timeline for compliance?
June 22, 2011 at 10:13 am
I think a lot of people are missing a fundamental point, under other regulations much of this data should have already been protected. I worked in a big bank and I don't think they did enough to protect the data in the tables, even though I believe that regulations say they should, and places like Sony, under PCI should have had much of this data encrypted. Why aren't they getting hammered for that?
Where I'm going with this is that regulations don't make things secure. To bring up a cross point that is on a controversial topic, the Columbine kids broke 18 gun laws prior to their rampage, would 19, 20, or 21 have made us more safe? I see a similar problem here. They are big companies who by virtue of being big think they can do what they want, and it bit them in the rear this time.
Additional regulation isn't going to help, actually enforcing the regulations we have should be tried first, especially at big companies since they have a lot more data to steal with a lot wider danger to the rest of us.
CEWII
June 22, 2011 at 10:50 am
@CEWII, unless the existing regulations force company executives to personally feel the pain, they will be ignored to the extent it's more economic to do so. One of the better features of Sarbanes-Oxley, to my mind, was forcing the CEO and CFO to take responsibility for the financials - they can't blame problems on underlings unless positive steps have been taken to ensure that company policies are known and enforced. We had a CEO that said, only half joking, "I'm not going to jail for your stupid mistake". That's the attitude at the top that ensures compliance with regulations.
June 22, 2011 at 11:04 am
Sounds like a fairly minor tweak to me, shouldn't require wholesale legislation.
CEWII
June 22, 2011 at 11:05 am
Steve Jones - SSC Editor (6/22/2011)
Good comments, and a heated debate, and please try to remain courteous to others.@SanDroid - You are on par with the fact that jailing hackers is hard, done inappropriately, and isn't necessarily solving the problem. We should pursue them, but also perhaps hold some accountability from executives. Not sure how here, maybe cancel their insurance and link bonus payments to insurance?
I think if our current laws and regulations for data secruity were extended to all copanies, not just those in Healt Insurance or Publicly Traded.
Then accurately and properly enforced, we would see a large reduction in this.
Hacking will never go away. As long as money can be made from selling information obtained illegaly it will be done.
June 22, 2011 at 11:20 am
I've not worked in a bank but when interviews has been done in Sweden about the security solutions which are used it falls on a cost/gain ratio.
It's not cost efficient to build the perfect system. It also does not harm the consumer because the bank refunds you on lost capital if you somehow lost cash in a card scam or security breach.
I however believe too few solution developers has sufficient knowledge about security and thus it is also ignorance for a problem which creates this situation. This is however a dba forum and perhaps few here builds and maintains both the application with it's database. If you dont only work with databases, do you for instance know about cross page scripting which is one very common way to hack?
June 22, 2011 at 11:26 am
Elliott Whitlow (6/22/2011)
Additional regulation isn't going to help, actually enforcing the regulations we have should be tried first, especially at big companies since they have a lot more data to steal with a lot wider danger to the rest of us.CEWII
So true. Our recent "Too Big To Fail" problem was not caused by a lack of regulation. It was caused by nobody enforcing the ones that existed.
If we are going to rely on the government to regulate in the best intrest of the people, and not themselves, then they need to be held directly and imediately accountable when "the system fails". The "system" does not fail to give me a ticket if I run a Red Light and the cameras are turned on. A system fails because you let it fail, or you never wanted it to suceed.
Look at the EPA. Currently they advise corporations on the loopholes in existing regulations. They have become the agency for protecting companies from Environmental laws. How did that happen? Did the "system fail"?
For those that want to complain about the cost of enforcing legislation and regulations correctly look at what "Too Big To Fail", "Enron", "The BP Oil Spill", "Natural Gas FRACKING", etc... cost us.
What does it cost when we pay for the system, pay for the failure, and pay for the bailout?
If we can waste billions on the DEA Drug War, why can't we spend a few more million on regulating corporate security?
June 22, 2011 at 11:47 am
IceDread (6/22/2011)
It also does not harm the consumer because the bank refunds you on lost capital if you somehow lost cash in a card scam or security breach.
This is not how it used to be in the USA.
Until recently the consumer or banker was responsible for making sure thier information was secure and the burdon of proof was on them. If someone stole your checks and started using them, the only way to recover that loss was from the thief. The Bank could not and would not insure accounts for this kind of loss.
Identity theft and credit card fraud worked the same way. You had to prove to the bank that it was not your fault.
Recent legislation has changed this in the US.
June 22, 2011 at 11:54 am
It seems odd that the government, with many seurity failures of its own, year after year (Wikileaks?) is in any position to decide how others protect their data. And regulations, because they are generalized and abstract, really do little to actually improve security; good security can be implemented without regulations, bad security can be done despite them.
It's not really so much a matter of demanding severe punishments either, that has a relatively small effect on the likelihood of a crime being committed.
As an analogy that I've used before: we try to reduce highway accidents, but we also acknowledge that they will never be eliminated. So we do other things: we have insurance, airbags, body repair shops, we have emergency medical support should that be necessary--in other words we try to mitigage the damage as much as possible.
We all like the convenience of having our credit on file with repeat vendors, but what if the number they have is hashed to them alone... so that no one else could charge against that card even if the numbers were compromised?
We need a change in legal and corporate structure that realizes, yes, leaks WILL happen and we need a way to deal with them rather than hand wringing and more regulations. We need fast efficient ways (this is very possible) of 'instantly' shutting down any compromised account and conveniently reissuing to the valid vendors (and this should be implemented by the credit card companies). We need clean ways of protecting customers from the financial loss including insurance policies maintained by merchants, or bettery yet by the credit card companies (that way it is not necessary to determine which vendor actually leaked the information--often difficult to do with any legal degree of certainty).
There will be security failures. We can't change that, but we can change how we deal with them.
...
-- FORTRAN manual for Xerox Computers --
June 22, 2011 at 11:57 am
SanDroid (6/22/2011)
IceDread (6/22/2011)
It also does not harm the consumer because the bank refunds you on lost capital if you somehow lost cash in a card scam or security breach.This is not how it used to be in the USA.
Until recently the consumer or banker was responsible for making sure thier information was secure and the burdon of proof was on them. If someone stole your checks and started using them, the only way to recover that loss was from the thief. The Bank could not and would not insure accounts for this kind of loss.
Identity theft and credit card fraud worked the same way. You had to prove to the bank that it was not your fault.
Recent legislation has changed this in the US.
Uh, no. Banks have been responsible for forged checks for decades, especially if you reported the loss of the checks. As for credit cards, consumers in the US have been responsible for only $50 in unauthorized charges if card loss was reported for as long as I can remember, which is back into the 70's. The best way to prevent card fraud in the US would be to move to the chip and PIN method that's common elsewhere in the world.
June 22, 2011 at 12:05 pm
jay holovacs (6/22/2011)
As an analogy that I've used before: we try to reduce highway accidents, but we also acknowledge that they will never be eliminated. So we do other things: we have insurance, airbags, body repair shops, we have emergency medical support should that be necessary--in other words we try to mitigage the damage as much as possible.
I love your statement but it is seriously confused.
In the US, all or most of these things happened AFTER State and Federal legislation/ regulations required it. Cars did not even have useable or safe seat belts until laws passed that required it and regulators started inspecting them to make sure they worked as expected.
We have legislation and regulation to help consumers and companies insure against Identity Theft and Revenue loss caused by data loss.
IMHO: The only way to know if something is working is to monitor and test it.
Viewing 15 posts - 16 through 30 (of 46 total)
You must be logged in to reply to this topic. Login to reply