dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
411
share rss forum feed


cableties
Premium
join:2005-01-27

FTC wants companies liable to be punished?

What do you think? Will this mean better security? Opportunities for 3rd party security and liability failures? Or improvements for companies to take security seriously?

»venturebeat.com/2014/03/19/ftc-w···-hacked/
--
Splat



Chubbzie

join:2014-02-11
Greenville, NC

2 recommendations

I'm all for pushing higher security protocol across all venues of corps, businesses, transactional processing, data accessibility, etc. However I wonder where will the line be drawn? Will these new security standards be forced upon Mom & Pop shops, not-for-profit orgs, businesses on the low end of the totem pole? If so, what type of cost would these entities be looking at to abide by the new standards?

Also, how will 0-day exploits and manufacturer's incompetence be handled if used to subvert security? If I'm company A and have a massive breach due to a software manufacturer's boneheaded coding error who's really to blame?

There are so many grey areas in this equation that make it really tough to fathom full liability regulation.



Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN

2 recommendations

reply to cableties

The problem is these people don't have a clue as to how a company doing everything right can still be owned. I'm currently listening to Mark Russinovich's (a name many might recognize) Zero Day. They have a perfect example of how a company can be owned through no fault of their own, even though they did everything right.
--
"Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something." - Robert A. Heinlein


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

3 recommendations

reply to Chubbzie

Well, there's an easy out. If you can't keep personal data about me safe, then just don't store personal data about me. Presto, no liability for failure to secure my personal information.

Or to put it another way, I don't think Mom & Pop shops are in the business of keeping a lot of personal customer data in harm's way.

Other countries have data security laws, why can't we?

I agree that the issue of 'whose fault is it?' needs to be carefully handled, but I think that it'll come down to compliance. If you do thus-and-so, you are legally safe.



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by dave:

... but I think that it'll come down to compliance. If you do thus-and-so, you are legally safe.

That's the current standard under PCI compliance which would be just a bad joke if there were anything funny about it.
»www.pcicomplianceguide.org/pcifaqs.php

said by dave:

Well, there's an easy out. If you can't keep personal data about me safe, then just don't store personal data about me. Presto, no liability for failure to secure my personal information.

As much as I agree with that, the problem with that is 'out' from what?
The strongest safeguard in place today is 'out' from disclosing a breach in the annual stock holder's report.

said by dave:

Other countries have data security laws, why can't we?

Because were not pissed off enough, yet.


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to cableties

Businesses that keep personally sensitive data about customers have a fiduciary responsibility to protect it, which means paying the necessary freight to do that well. Otherwise, they shouldn't keep the data. One of the key problems with data theft is that the custodians, other than a short season of bad publicity and some credit-monitoring charges for violated customers, bear no real liability for the customer damages to which their poor computer security decisions and practices greatly contribute.

Down through human history, the best results have always obtained when the custodian is exposed to direct liability for that which he has assumed responsibility to protect. If he doesn't want such liability risk, then he either must constantly apply top-notch protection or else return or legitimately dispose of that which he has been protecting.
--
The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money. -- A. de Tocqueville


OZO
Premium
join:2003-01-17
kudos:2
reply to cableties

Good move from FCC! I which them luck in that endeavor. Finally they do something for us, customers. I'd say, punish companies for leaks of our personal data and punish very hard...

As to Mom & Pop shops (as well as big corporations too) - here is advice. Don't want to get punished? Then don't keep personal data about your customers. Isn't that simple?
--
Keep it simple, it'll become complex by itself...


OZO
Premium
join:2003-01-17
kudos:2
reply to Snowy

said by Snowy:

said by dave:

Other countries have data security laws, why can't we?

Because were not pissed off enough, yet.

That's right. We're still waiting for something... But wise say:
He is truly wise who gains wisdom from another's mishap.
--
Keep it simple, it'll become complex by itself...


Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5

3 edits

3 recommendations

reply to Chubbzie

I think the liability model is exactly the right way to handle this, but (as others have said) this has to be handled thoughtfully.

I'll use Target as an example here but it's really a placeholder for any business doing business.

It may well be that Target cannot prevent a zero-day vuln or an incompetent vendor, but it's hard to argue that they have less control over the situation than the consumers whose data they hold (i.e., "my data"). As far as I know, the only control I have is to shop at Target or not, which is not an easy discrimination to make before the fact.

Once vendors know that they will be liable for damages, and that they will be on the hook even if there are horrible bugs in Internet Explorer or a Watchguard firewall or an HP printer or whatever, it will change how they operate so they trust their vendors less and expect more.

An IE vuln may not be Target's "fault" in the same sense as it's their fault if a manager assaults a customer, but giving them a reason to Give A Shit™ about controlling what they can control will help us all.

This applies to Target as well as the local Mom and Pop store — I have seen it in operation.

Scenario: Mom and Pop want to expand their brick-and-mortar sex-toy store (hi Mom!) to the web, and they're looking at shopping carts. They favor heavily solutions that have them never see or touch or retain any payment information on the assumption that Mom and Dad are experts in sex toys, not not so much in payment security, leaving it to those who are nominally more qualified to handle it safely.

This is not to say that the payment processor won't ever be hacked, and it's fair to say that Mom is intentionally shifting the burden to somebody else they can blame, but it's hard to imagine that sex-toy-Mom is going to do a better job than somebody who does this every day and whose reputation relies on doing the job.

This is systemic security that makes it nearly impossible for Mom to screw up and breach data, as opposed to tactical security which means she's pretty sure she has the bunkers locked down tight.

Likewise, I often hire experts (my mechanic, my doctor, my CPA) to handle tasks that they're simply more qualified for. "Easy for me, hard for you".

This mindset is enormously important.

I have been consulting in a financial-services industry for a long time (on the systems side, not the financial side), and I run the servers and networks for a number of companies. These servers hold an absolute gold mine of breachable information, far more than what Target ever has.

As the landscape for security threats has increased, I've been concerned about upping my game on the operational security: I can't watch every network of every customer, but I can make it a lot harder for some doofus customer service agent to have his desktop hacked via Elf Bowling or Anna Kournikova and gain access to the happy fun data.

So this makes me look at re-engineering entire operations (including making things less convenient for the customer) so that it's simply harder to do bad stuff. And I'm doing this in the absence of personal liability, only because I care about doing a good job for my customers. Adding legal liability will just drive others to this same place.

But here is the caveat: we must put the predominant liability focus on operations rather than software, because the highest duty is on the one who chooses to retain the data rather than the vehicles by which the data is retained.

Operations have context, but software does not

Yes, it sucks for Target or sex-toy-Mom if an Internet Explorer vulnerability means their desktop is hacked, but does this automatically and necessarily mean that they have given up the keys to the kingdom? Something else has to happen, and that's within the control of Target or Mom. Shifting blame from Mom to Microsoft sounds like it's a way of avoiding responsibility.

There are two concerns here:

First, if software receives primary liability rather than operations, an enormous amount of open source software will become unavailable. I have written an utterly insignificant amount of free software that I offer on my website, but if I'm liable because you or I screw up: HOLY SHIT I cannot pull my software down fast enough.

Second, and most importantly, if software bugs give operations people a pass, it changes the incentive to shift the blame, and it's the operations people who are most responsible in the first place. This is legal "risk arbitrage" that does exactly the wrong thing.

NOTE: Previously I mentioned sex-toy-Mom outsourcing payment processing, but this was outsourcing to operations, not to software. This is the key difference.

Yes, everybody loves to blame Microsoft for bad security, but (not having studied this in detail) I'd be surprised if even one breach of any substantial size in the last five years were directly caused by a software bug from anybody.

Steve — who has never thought of "sex toy" and "Mom" in the same sentence before, and now wants to throw up in his mouth, just a little bit
--
Stephen J. Friedl | Unix Wizard | Security Consultant | KA8CMY | Southern California USA | my web site


redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable
reply to cableties

my thinking is that the ISP's that host the malware that is used by cybercriminals are the ones who should be held accountable..

we also need a global co-operation to sinkhole malicious URL's.. that might not solve the whole problem, but it would help, to sinkhole as many malicious URL's as possible..



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to Steve

said by Steve:

I have been consulting in a financial-services industry for a long time (on the systems side, not the financial side), and I run the servers and networks for a number of companies. These servers hold an absolute gold mine of breachable information, far more than what Target ever has.

Financial institutions set the bar for IT security.
Besides the important matter of image, it is their assets their protecting at the end of the day unlike the giant retailer or mom-n-pop toy shop.
Hack into a banks server & you'll end up with unusable partial data since every financial institution I'm aware of stores account data across numerous servers, none of which alone can supply anything worthwhile to a miscreant.

Most if not all of the data breaches that involved stored data could have been greatly mitigated if the practice of not storing all the eggs in one basket were required.

These same managers wouldn't consider having their personal stock portfolio not diversified but obviously have no issue with placing data portfolios their charged with protecting in one basket.


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to redwolfe_98

said by redwolfe_98:

my thinking is that the ISP's that host the malware that is used by cybercriminals are the ones who should be held accountable..

Sounds like a business opportunity.

Have Malware Will Travel
Got a grudge against an ISP?


Chubbzie

join:2014-02-11
Greenville, NC
reply to cableties

Educational institutions -> student/alumni/faculty/staff/state/fed data -> various forms of payment processing. How would this fair under these new standards?

Snowy is dead on with the statement of PCI DSS compliance being a bad joke.

Also, I agree 110% that anyone willing to hold or store various data should be held responsible for said data. The main issue I have with this however is its not black & white and can easily become a huge cumbersome process when identifying all involved parties & the actual cause of said breach.

If I go to a .gov and wind up infected with malware that siphons off all my data b/c the Syrian Electronic Army or Anonymous decided to subvert and hijack that site for nefarious payload, who's the responsible party?



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

1 edit

said by Chubbzie:

... Also, I agree 110% that anyone willing to hold or store various data should be held responsible for said data. The main issue I have with this however is its not black & white and can easily become a huge cumbersome process when identifying all involved parties & the actual cause of said breach.

If I go to a .gov and wind up infected with malware that siphons off all my data b/c the Syrian Electronic Army or Anonymous decided to subvert and hijack that site for nefarious payload, who's the responsible party?

Obviously, the thief is responsible, at the first level. But while the cops (or armies) are chasing him, the next level of responsibility is the guy who left the front door unguarded, as are the guys who vetoed even putting a lock on the front door, as well as the guys who left the goods just lying around on the tables rather than locking them away in the safe before they went home... and even the marketers who advertised their establishment to customers as a secure place to store your valuables. 'Blame' for stealing rests with the thieves; responsibility for 'protection' rests with the protectors. Cumbersome or not, liabilities should follow accordingly.
--
The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money. -- A. de Tocqueville


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to Steve

said by Steve:

So this makes me look at re-engineering entire operations (including making things less convenient for the customer)

This is the key. Security is NOT convenient. That is always going to be an issue. The more secure a system is, the less convenient it will be. Stores need the shopping experience to be convenient, so that shoppers will use them.

Part of the issue is that there are so many parts involved. It isn't simply the operating system you are running, it is also the software, plug-ins, communication protocols, drivers, hardware, ISP, and much more. Not to mention the human component, the known weakest link in any security solution. Any hole, in any one of the things you are using, can compromise you.
--
"Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something." - Robert A. Heinlein