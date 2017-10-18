Ask Slashdot: What Are Ways To Get Companies To Actually Focus On Security? 30
New submitter ctilsie242 writes: Many years ago, it was said that we would have a "cyber 9/11," a security event so drastic that it fundamentally would change how companies and people thought about security. However, this has not happened yet (mainly because the bad guys know that this would get organizations to shut their barn doors, stopping the gravy train.) With the perception that security has no financial returns, coupled with the opinion that "nobody can stop the hackers, so why even bother," what can actually be done to get businesses to have an actual focus on security. The only "security" I see is mainly protection from "jailbreaking," so legal owners of a product can't use or upgrade their devices. True security from other attack vectors are all but ignored. In fact, I have seen some development environments where someone doing anything about security would likely get the developer fired because it took time away from coding features dictated by marketing. I've seen environments where all code ran as root or System just because if the developers gave thought to any permission model at all, they would be tossed, and replaced by other developers who didn't care to "waste" their time on stuff like that.
One idea would be something similar to Underwriters Labs, except would grade products, perhaps with expanded standards above the "pass/fail" mark, such as Europe's "Sold Secure," or the "insurance lock" certification (which means that a security device is good enough for insurance companies to insure stuff secured by it.) There are always calls for regulation, but with regulatory capture being at a high point, and previous regulations having few teeth, this may not be a real solution in the U.S. Is our main hope the new data privacy laws being enacted in Europe, China, and Russia, which actually have heavy fines as well as criminal prosecutions (i.e. execs going to jail)? This especially applies to IoT devices where it is in their financial interest to make un-upgradable devices, forcing people to toss their 1.0 lightbulbs and buy 1.0.1 lightbulbs to fix a security issue, as opposed to making them secure in the first place, or having an upgrade mechanism. Is there something that can actually be done about the general disinterest by companies to make secure products, or is this just the way life is now?
Hack them. (Score:2)
Just kidding. I am not advocating unlawful access. But it seems like many companies don't do a damn thing until they have a breach.
Actually many of them don't do much after a breach either.
Let the CFO run IT (Score:2)
After all it is not like they are judged by any other metric besides spending money or anything like that.
Also go to India or get some college kid to run it for cheap. That is what any MBA will tell you and it is not like it is hard or anything to do.
Insurance (Score:4, Insightful)
Insurance translates risk into dollars into quarterly financials.
Moral of the story: start training for a job as an actuary [businessinsider.com].
With the current state of software warranties, I could not imagine how insurance against hacking events could possibly exist. The initial assessment actively threatens the employment of IT staff, they are being judged and make no mistake, first on the audit list, fire and hire. That also plays out to the rest of staff, as any employee with access to at risk hardware can trigger a security breach.
Sure I could imagine fly by night insurance who take premiums and never make payouts, using lawyers to fend them
Exactly this. Just like we require liability insurance to drive a car, if we required PCI insurance to accept credit cards
then there would be a dollar amount associated with it. Currently, PCI compliance is required (and in some cases just
recommended) but failure to be PCI compliant is only a problem if you get caught. As much as I hate insurance
companies some times, getting them involved would make it so that if a company wanted lower premiums, they would
have to actively try to mitigate the risks.
Change liability laws (Score:2)
Add more features (Score:3)
Features are what counts. The more features software has, the better it is. And add more layers, because abstraction and indirection are good. And most importantly, make it bigger and more complex because everyone knows that code is good so the more code the better.
Eventually not even the hackers will understand it and we will all be safe.
Easy (Score:2)
Everyone at the top (CXO, board members, top paid employees based on cash plus stock options plus etc.) serves 1 day in prison for every instance of leaked info.
Chase it down through subsidiaries, contractors, shell corporations, spouses, etc.
The other option is mob justice. (Which is fine by me.)
C-level execs in handcuffs (Score:2)
Haul some C-level execs away in handcuffs. And don't put them in some white-collar resort prison either.
Black Box full of security (Score:1)
The Pocket Book (Score:2)
So make it. Your company released data on 32 million people due to shoddy security? Your company will have to contact each one directly, individually, and cut them a check for $1000[1] on top of whatever monitoring services they might need now. Same thing if it's only 32 people.
This won't fix IoT issues, of course, but there's a different mechanism that could: cost internalizing. Require companies to pay into a fund for proper disposal of their produ
Stop relying on them (Score:2)
If they aren't already interested in paying attention to security, pointing out where their security is flawed won't change anything. At best, they'll just think you're acting like some kind of know-it-all, and at worst, they might make your life thereafter somewhat unpleasant.
If a company doesn't pay attention to security, run in the other direction. Get as far away from them as you can.
Arguable statement (Score:3)
"This especially applies to IoT devices where it is in their financial interest to make un-upgradable devices, forcing people to toss their 1.0 lightbulbs and buy 1.0.1 lightbulbs to fix a security issue, as opposed to making them secure in the first place, or having an upgrade mechanism."
It's actually more complicated than this. You need to factor in the customer.
The vast majority of customers for above-mentioned devices are "IT security-impaired". In layman's terms, they have no fucking clue (I don't blame them by saying this, it's just the way things are). So they vote with their wallet.
If company A is very security-focused and produces aLightbulb with upgradeable firmware and active development for said firmware, but company B doesn't give a shit, you will end up with bLightbulb which costs 10 times less than aLightbulb. Guess which company would go out of business?
IoT is filled to the brim with customers looking for the cheaper alternative, and security isn't a driving factor to motivate them to buy the more expensive product. Getting companies to agree on a security standard? Good luck with that, there's always going to be the profit-oriented company willing to sell their lightbulbs 15% cheaper, and have them cost 4 times less, undercutting and eventually buying off competition.
Not saying I agree with how things are, but then again, it's how they are.
devices need to have os and app code spilt (Score:2)
devices need to have os and app code split into there own updates so it's easier to push out updates.
Not hiring a Music Major for IT security (Score:2)
Seems to be a given,
Simple. Sue them out of existance (Score:2)
1-2 companies become memories because they got breached, Cxx's might give IT departments the resources they need to prevent breaches.
conjecture much? (Score:2)
"this has not happened yet (mainly because the bad guys know that this would get organizations to shut their barn doors, stopping the gravy train.)"
So companies could do it if they knew it was a problem, but they don't because they're blissfully unaware, and the only people that would tell them won't?
Regulation (Score:2)
Buildings don't collapse, trains don't crash and planes don't fall out of the sky because there are strict government standards on how to make one. These standards cover the software used in them as well, and we now actually have some reasonably good standard practices on how to make software reliable. Unfortunately, reliability and security are not the same, so what's needed is a set of standards that describe how to make secure networks. I fully understand that's not an easy job, but I'm pretty sure that