
Ask HN: Should IT Adopt “Black Box Thinking” in Relation to Cyber Attacks? - ID1452319
As someone who designs enterprise software for a living I find it strange now little detailed analysis available in the public domain there seems to be regarding major cyber attacks and security breaches. I do wonder how companies are supposed to learn from other&#x27;s mistakes when the information is so rarely available?<p>There was an excellent analysis* of the recent BA credit card leak which prompted a great deal of internal debate into the level of exposure and risk, however this was conducted by a third-party analyst and not an official investigation.<p>https:&#x2F;&#x2F;www.riskiq.com&#x2F;blog&#x2F;labs&#x2F;magecart-british-airways-breach&#x2F;<p>However, this is rare and there have been several high-profile breaches which do not seem to have been so thoroughly investigated and the results published.<p>When an airliner crashes there is a forensic level investigation and the results are shared with the wider industry. At the end of the day it is in everyone&#x27;s best interests, as not only do companies face financial losses compensating their customers, they also risk damage to brand reputation and ultimately fines from regulators.<p>What are people&#x27;s opinions on the IT industry adopt a similar black box thinking approach to reporting the causes of security breaches.
======
segmondy
Partner up with a security engineer/team. The mindset that creates is
different from the mindset that destroys. The gap between enterprise software
and security has a very wide gulf. Security exploitation might require
intimate hardware details lower than understanding how the OS works, things
such as understanding the architecture of CPU as we have seen with recent
speculation attacks on CPU. Nevertheless, tons have been published on
security.

Rule 1. Trust NO INPUT Rule 2. Trust NO INPUT Rule 3. Trust NO INPUT

Outside of being compromised due to bad inputs, the other vectors are either
logical flow emanating from complex system with different moving pieces, or
stemming from bad practices such as using poorly vetted libraries, encryption
schemes, running on insecure platforms, etc.

As someone who works in both spaces, I can assure you that the there's a
strong strain between the demands of enterprise to release their vague
requirements to market and the demand of security to keep everything together.
If you try to do both it's easy to end up with some blindness. Hire a security
team, the airline engineers don't do the forensic, a different team does and
tells them lessons learned.

