Why is that "sad"? Nature has gone the same path. We have basic defenses that are "on" all the time (passive immune system - nonspecific), and we have an adaptive response that reacts to what actually happens to us, which also means threats we actually encounter will be recognized and fought more quickly and better in the future. Or houses - having lived in the US, those front doors are at least an order of magnitude less secure than any German front door, but even those are not really able to keep out any determined intruder.
Why should be mount a very expensive all-out defense against a lot of perceived threats? It's similar to "every child (programmer, etc.) MUST know this!". Making demands is easy. If people don't care there probably is a deeper reason. Yes, the heuristic gets it wrong, that's why it's a heuristic, but that it is one in the first place also has similar reasons.
It sure is possible to criticize a concrete company for concrete problems, but the blanket statement of the headline is not useful.
The problem is that this isn't about saving money overall. Users pay the primary costs of the company's security errors, so it's a moral hazard problem.
Right now, companies that lose data don't pay any costs at all until afterwards, and those costs are usually minimal. The reputational damage is reduced because no one knows until (well) after the breach, and any financial info lost is consumer credit cards rather than corporate accounts. Yes, users sometimes get free identity theft monitoring, but those services are quite cheap to account for the fact that they don't actually work.
More specifically, this is asymmetric information and therefore the market can't adjust for it. When Yahoo loses my data, will my passwords be salted and well-hashed? How could I possibly know in advance? Consumers aren't making privacy and risk choices, they're using the internet as best they can and getting repeatedly burned for it.
If you want a clear contrast, companies are enormously concerned about "whaling" attacks, and are working hard to prevent them. Those attacks take corporate money in real time, so the costs are properly factored in. Moral hazard is inherently about broken cost-benefit measurement.
When your front door isn't secure enough, you and/or your insurance company eat the loss. The point of this headline is that when Yahoo gets attack their customers are going to eat the loss, yet it's Yahoo who screwed up.
That's IMO a clear example of mis-aligned incentives.
Consider many other product markets, when there is a defect in someone's product there are legal remedies. These are in place to provide an incentive for companies to do something they otherwise would not.
Examples of this would be food safety legislation, fire safety legislation, building regulations etc. In all those cases it was considered a good thing (by society) to implement laws to make companies take these things into account.
IT in general, lack this kind of legislation, and as a result companies unsurprisingly make commercial decisions not to improve security where they feel it would cost a lot of money to do so.
The problem comes in the negative externality, the company with bad security isn't the company that takes the loss, similar to the negative externality that the person who made a weak bridge likely doesn't die when it collapses.
So a logical argument might be to use legislation to fix this externality and make it a better decision for companies to improve their security...
Because attacks in software are always getting better, not worse. If it's a smaller company it's a shame - many of them simply don't have the resources to dedicate to properly hardening themselves against attack, and it can destroy their company.
> Why is that "sad"? Nature has gone the same path. We have basic defenses that are "on" all the time (passive immune system - nonspecific), and we have an adaptive response that reacts to what actually happens to us
While it's true that nature has taken the same path for the same reasons, I don't think I'd have to look very hard for people to agree that the fact that people fall ill, sometimes seriously so, is "sad".
Because there are significant external costs that the entities sloppily handling records don't have to pay but the rest of us do. Presumably that's the reference they had in mind when they referred to the "Ford Pinto formula," since it's unlikely customers would have agreed that it was better to have cars that had some risk of blowing up and killing them so Ford could make more money.
One reason it's true is because companies only measure actual cost, not opportunity cost. How much did it cost Yahoo to have every tech-savvy person in the world switch to Gmail because of Yahoo's lousy (and Google's excellent) security infrastructure? Where the tech-savvy go, the tech-unsavvy often follow. As they did with Gmail.
But lost revenue opportunities don't show up in the bottom line, so cost-focused managers don't think about them. And they conclude it's "cheaper" to not invest in this or that thing that their smarter competitors are doing.
"What gets measure gets managed." People think this (apocryphal) Drucker quote is advice. It is not advice. It's a warning.
Actually, it was the free space. Everyone who used Gmail didn't trust it very much and was wary about Google sharing their info, especially as it was showing ads related to your email archive.
I am sick of seeing headlines about teenager hacker being put in jail.
It's not because they are geniuses it's because of poor IT defense.
The companies should be severely fined for criminal negligence.
I get what you mean, but poor defense ain't no excuse to hack the hell out of company, neither legally nor morally. plus i don't buy the notion that some teenager had no clue what he was doing would harm other's livehood (if yes, then he should go through psychiatric evaluation).
if I don't put 3m electric fence with automatic sentry guns around my whole hypothetical house and land, does it mean everybody is automatically invited to freely try to break in, do damage, steal my stuff or post my private and legal data online for others?
state should have better use for these guys, but there should definitely be punishment, not reward in any way. that's how all countries run these days
An uncovered and unlocked hot tub in the back yard can be seen as an "attractive nuisance." Sure, the kid trespassed by climbing over the fence, but he wouldn't have drowned if the thing had been secured.
Sure, the hacker broke the law by hacking in, but I wouldn't have had my PII stolen if the thing had been secured.
You wouldn't say the same about a deadbeat teenager who smashes a car window and grabs someone's purse. "It's not because they're criminal masterminds, it's because of poor car defense."
Locks, physical and mathematical, are for the deterrence and convenience of the generally honest. Law enforcement, as an active defense, is for the deterrence of the actively attacking. At some point you're always going to have to stop turtling and build an army.
And I get downvoted for saying self-driving car companies should be fined signficant amounts of money for both car accidents due to poor self-driving software capabilities but also for security breaches.
What if it's "cheaper" for the car companies to let the cars crash than adopt stronger security? You may think that there's no way a recall would be worth it, but we're already seeing companies such as Tesla "fix" the issue over the air, and chances are most of the new self-driving cars will be fixed the same way, if not all.
The only thing that would be left is the "bad PR", which may be much smaller in the future, because there won't be any recalls. If only 2 people die, and then all cars are fixed, the outrage just won't be as big as when 100 people die due to a brake malfunction, and then 5 million cars have to be recalled, impacting 5 million people (as opposed to only the families of those two in the former example) that would then personally spread the bad news.
Also the "bad PR" doesn't seem to affect tech companies, or even retailers, or banks, all that much, so I doubt it would affect car companies that much more in the future (for the reasons I mentioned above).
All that needs to happen is for a court to define poor IT security as an "Attractive Nuisance", and just generally make companies liable for their customer's information (and more broadly if possible).
I think this article is making a decent point but with bad data. We know of many cases where the cost of insecurity drastically outweighed the cost of basic security. The most obvious is banking where no security would drain all their money. So, they combine preventing, detection, auditing, and computers hackers can't afford to keep losses manageable. Another example on putting a number on it is the Target hit that, in last article I read, was something like $100+ million in losses. Lets not even get to scenario where they start targeting power plants or industrial equipment whose management foolishly connected to net.
It also helps to look at the other end: minimum cost to stop most problems. Australia's DSD said that just patching stuff and using whitelisting would've prevented 75% of so-called APT's in their country. Throw in MAC-enabled Linux, OpenBSD, sandboxed (even physically) browsers w/ NoScript, custom apps in safe languages, VPN's by default, sanest configuration by default, and so on. Residual risk gets tiny. What I just listed barely cost anything. Apathy, which the article acknowledges, is only explanation.
A nice example was Playstation Network hack. I didn't expect them to spend much on security. I also didn't expect it to come down to having no firewall (they're free) in front of an Apache server that was unpatched for six months (patches are free). That this level of negligence is even legal is the main problem.
I wonder if one of the problems is that the focus is too much on costs.
What I see all the time in IT security that for many people doing security means spending lots of money on products with highly questionable promises. It's very doubtful that many of the security appliances you can see at RSA or Black Hat do any good, in many cases they add additional risks. But the industry is selling a story that the more boxes you buy and put in front of your network the better.
For a lot of companies there are very cheap things they could do to improve their security. This starts with such simple things as documenting on the webpage who outside security researchers should contact if they think they found an issue in the companies infrastructure.
So I have quite some doubts that the formula "spending more on security == better security" holds.
It's sad because it's true. In 2018 the data protection EU regulation gets put into play though, which might change that partially by effectively increasing the cost of losing control of data.
"Cheaper" is not including the full cost of compromised data. Compromises don't only affect companies' bottom lines, but also those who were compromised. The costs to individuals are undoubtedly much harder to quantify.
I totally agree, but I think in this case they are saying it's cheaper for the company, which is what really matters in this context (since they're comparing it to how much the company would pay for security).
I mean, if the company's website gets hacked and your credit card data is stolen, then your card is charged $1,000, it's not the company that pays for it, right? You either talk to your bank to mark the purchase as fraudulent and get the charges reversed, or pay for it yourself (e.g. if it's a debit card).
Perhaps that's the solution though: a way to directly associate fraudulent purchases with security breaches where credit card data has been stolen, and a law that requires the breached party to pay all expenses related to that fraud. That would get all major retailers scramble to get their shit secured.
I'm not so sure it's cheaper. The business cost can be enormous. See the Target breach, which led to FIRING the CEO. And Yahoo, which may have their deal with Verizon at risk now due to the latest breach.
That is why as a sole dev I no longer offer full-stack solutions: clients simply do not want to pay for the hours it takes to keep their back-ends monitored and secured. Yet, dynamic data is mostly inevitable in any modern web solution so I am increasingly relying on BAAS providers. My gamble is that it should be easier/cheaper for BAAS providers to maintain a team of knowledgeable and experienced engineers to tend infrastructure that runs several back-ends. It seems like a natural step from hey I trust you can run my hardware take my money to hey I trust you can manage my data take my money
Yes, you notice it when you deal with sites where bad security can be costly, like on a (bit)coin exchange (i.e. Bittrex). You get an email at every successful login, 2FA is encouraged from the start, enabling the API keys requires 2FA, Google reCAPTCHA at every login, logout as soon as you close the browser, api keys with different levels of functionality, API requires SHA512 hashing of API key and API code and a time fingerprint. It's pretty refreshing to be honest.
Yahoo customers are advertisers, not people with email accounts. Account holders are just a resource, and in aggregate I'm willing to bet most won't know what this hack means to them, even if they learn about it. What are they chances they lose 30% or more of this resource, users terminating their accounts? The stock price suggests the account holders don't care or have no meaningful recourse.
Part of the issue is that legally in the U.S. a) privacy violations are usually punishable by law only if a specific non-privacy harm comes of it and b) privacy is treated as an individual right and not a societal good. If a company gets hacked and loses your credit card and bank information afaik it's punishable only if someone actually fraudulently uses the information. It's up to individuals to jointly complain about specific damages to effect changes, and for any given individual there's little incentive to make your own life difficult for vague potential benefits. Also in most cases the individual harm is quite small, even if in aggregate or viewed as a societal harm there is huge damage.
I found this to be true of securing my house. I had several break ins and the total cost (mostly repairs) was still far less than the cost of installing an alarm system, to speak nothing of paying for police response to false alarms.
I think a lot of these problems could be nipped in the bud by more aggressive code auditing and patch management. It's better to start with fewer zero-day vulnerabilities. Once the zero-day exploits are out there, you have to act to mitigate them. Another way to think about it is to compare it to home construction.
You have to use good building materials to start. After the house is built, you get into the decision cycle of maintaining, repairing or replacing the home.
Sadder reality: This principal has been extended by many CEOs to justify not doing any security. The OP speaks of the costs of running a top-notch system. That's expensive. But please do something. Something more than just relying on your head of IT and your web designer. Read the Ashley-madison report by the canadian privacy commissioner. A supposed unicorn and they were doing nothing.
Has your identity been stolen? If so, were you able to determine if a large scale hack was the cause of that? Then were you able to go back and sue that company for your losses? You probably don't even have much recourse, i.e. it's cheaper for you to try to fix your own stolen identity issue than to sue the company that got hacked for renumeration.
All we have to know that it really doesn't matter to the business world despite all the drama in corporate IT over security (if that) is that Apple, Target, and Home Depot are having great quarters after their security breaches so any consumer backlash is materially ineffective even if people do care - not enough care.
[+] [-] Noseshine|9 years ago|reply
Why should be mount a very expensive all-out defense against a lot of perceived threats? It's similar to "every child (programmer, etc.) MUST know this!". Making demands is easy. If people don't care there probably is a deeper reason. Yes, the heuristic gets it wrong, that's why it's a heuristic, but that it is one in the first place also has similar reasons.
It sure is possible to criticize a concrete company for concrete problems, but the blanket statement of the headline is not useful.
[+] [-] Bartweiss|9 years ago|reply
Right now, companies that lose data don't pay any costs at all until afterwards, and those costs are usually minimal. The reputational damage is reduced because no one knows until (well) after the breach, and any financial info lost is consumer credit cards rather than corporate accounts. Yes, users sometimes get free identity theft monitoring, but those services are quite cheap to account for the fact that they don't actually work.
More specifically, this is asymmetric information and therefore the market can't adjust for it. When Yahoo loses my data, will my passwords be salted and well-hashed? How could I possibly know in advance? Consumers aren't making privacy and risk choices, they're using the internet as best they can and getting repeatedly burned for it.
If you want a clear contrast, companies are enormously concerned about "whaling" attacks, and are working hard to prevent them. Those attacks take corporate money in real time, so the costs are properly factored in. Moral hazard is inherently about broken cost-benefit measurement.
[+] [-] petertodd|9 years ago|reply
That's IMO a clear example of mis-aligned incentives.
[+] [-] raesene6|9 years ago|reply
Examples of this would be food safety legislation, fire safety legislation, building regulations etc. In all those cases it was considered a good thing (by society) to implement laws to make companies take these things into account.
IT in general, lack this kind of legislation, and as a result companies unsurprisingly make commercial decisions not to improve security where they feel it would cost a lot of money to do so.
The problem comes in the negative externality, the company with bad security isn't the company that takes the loss, similar to the negative externality that the person who made a weak bridge likely doesn't die when it collapses.
So a logical argument might be to use legislation to fix this externality and make it a better decision for companies to improve their security...
[+] [-] edc117|9 years ago|reply
Places like Yahoo have no such excuse.
[+] [-] mhurron|9 years ago|reply
[+] [-] thaumasiotes|9 years ago|reply
While it's true that nature has taken the same path for the same reasons, I don't think I'd have to look very hard for people to agree that the fact that people fall ill, sometimes seriously so, is "sad".
[+] [-] emodendroket|9 years ago|reply
[+] [-] amelius|9 years ago|reply
It may be sad for security researchers.
Or for end-users who got their data breached, and aren't compensated fairly.
[+] [-] peterbonney|9 years ago|reply
But lost revenue opportunities don't show up in the bottom line, so cost-focused managers don't think about them. And they conclude it's "cheaper" to not invest in this or that thing that their smarter competitors are doing.
"What gets measure gets managed." People think this (apocryphal) Drucker quote is advice. It is not advice. It's a warning.
[+] [-] jhanschoo|9 years ago|reply
[+] [-] richmarr|9 years ago|reply
[+] [-] vfxGer|9 years ago|reply
[+] [-] saiya-jin|9 years ago|reply
if I don't put 3m electric fence with automatic sentry guns around my whole hypothetical house and land, does it mean everybody is automatically invited to freely try to break in, do damage, steal my stuff or post my private and legal data online for others?
state should have better use for these guys, but there should definitely be punishment, not reward in any way. that's how all countries run these days
[+] [-] raverbashing|9 years ago|reply
Yes, if the IT defenses are poor and they get in fair enough, another one is if they get the password list and shop around
You're saying like it's ok to rob the house with only one lock as opposed to the one with several locks and security cameras
[+] [-] a3n|9 years ago|reply
Sure, the hacker broke the law by hacking in, but I wouldn't have had my PII stolen if the thing had been secured.
[+] [-] taneq|9 years ago|reply
Locks, physical and mathematical, are for the deterrence and convenience of the generally honest. Law enforcement, as an active defense, is for the deterrence of the actively attacking. At some point you're always going to have to stop turtling and build an army.
[+] [-] mtgx|9 years ago|reply
What if it's "cheaper" for the car companies to let the cars crash than adopt stronger security? You may think that there's no way a recall would be worth it, but we're already seeing companies such as Tesla "fix" the issue over the air, and chances are most of the new self-driving cars will be fixed the same way, if not all.
The only thing that would be left is the "bad PR", which may be much smaller in the future, because there won't be any recalls. If only 2 people die, and then all cars are fixed, the outrage just won't be as big as when 100 people die due to a brake malfunction, and then 5 million cars have to be recalled, impacting 5 million people (as opposed to only the families of those two in the former example) that would then personally spread the bad news.
Also the "bad PR" doesn't seem to affect tech companies, or even retailers, or banks, all that much, so I doubt it would affect car companies that much more in the future (for the reasons I mentioned above).
[+] [-] wil421|9 years ago|reply
Just because there isn't a fense around an area that says no trespassing doesn't make it legal to walk through.
"But they didn't have a fense and it was easy to walk into the area."
[+] [-] M_Grey|9 years ago|reply
[+] [-] SCdF|9 years ago|reply
[+] [-] nickpsecurity|9 years ago|reply
It also helps to look at the other end: minimum cost to stop most problems. Australia's DSD said that just patching stuff and using whitelisting would've prevented 75% of so-called APT's in their country. Throw in MAC-enabled Linux, OpenBSD, sandboxed (even physically) browsers w/ NoScript, custom apps in safe languages, VPN's by default, sanest configuration by default, and so on. Residual risk gets tiny. What I just listed barely cost anything. Apathy, which the article acknowledges, is only explanation.
A nice example was Playstation Network hack. I didn't expect them to spend much on security. I also didn't expect it to come down to having no firewall (they're free) in front of an Apache server that was unpatched for six months (patches are free). That this level of negligence is even legal is the main problem.
[+] [-] hannob|9 years ago|reply
What I see all the time in IT security that for many people doing security means spending lots of money on products with highly questionable promises. It's very doubtful that many of the security appliances you can see at RSA or Black Hat do any good, in many cases they add additional risks. But the industry is selling a story that the more boxes you buy and put in front of your network the better.
For a lot of companies there are very cheap things they could do to improve their security. This starts with such simple things as documenting on the webpage who outside security researchers should contact if they think they found an issue in the companies infrastructure.
So I have quite some doubts that the formula "spending more on security == better security" holds.
[+] [-] lagadu|9 years ago|reply
[+] [-] sarnowski|9 years ago|reply
This directive will drastically increase fines for data leaks in the EU.
[+] [-] marmot777|9 years ago|reply
[+] [-] nathanaldensr|9 years ago|reply
[+] [-] enraged_camel|9 years ago|reply
I mean, if the company's website gets hacked and your credit card data is stolen, then your card is charged $1,000, it's not the company that pays for it, right? You either talk to your bank to mark the purchase as fraudulent and get the charges reversed, or pay for it yourself (e.g. if it's a debit card).
Perhaps that's the solution though: a way to directly associate fraudulent purchases with security breaches where credit card data has been stolen, and a law that requires the breached party to pay all expenses related to that fraud. That would get all major retailers scramble to get their shit secured.
[+] [-] M_Grey|9 years ago|reply
[+] [-] draw_down|9 years ago|reply
[+] [-] nmgsd|9 years ago|reply
[+] [-] bikamonki|9 years ago|reply
[+] [-] jrochkind1|9 years ago|reply
[+] [-] teekert|9 years ago|reply
[+] [-] cmurf|9 years ago|reply
[+] [-] jbb555|9 years ago|reply
[+] [-] hoodunit|9 years ago|reply
[+] [-] bagacrap|9 years ago|reply
[+] [-] rbc|9 years ago|reply
You have to use good building materials to start. After the house is built, you get into the decision cycle of maintaining, repairing or replacing the home.
[+] [-] sandworm101|9 years ago|reply
[+] [-] sabujp|9 years ago|reply
[+] [-] devonkim|9 years ago|reply