
“We take security seriously” - wglb
http://www.troyhunt.com/2015/07/we-take-security-seriously-otherwise.html
======
jedberg
Security is a business cost like anything else and there are tradeoffs. All of
these companies have decided that the risk of losing this data was worth the
cost savings of not protecting against the attack. So far they all seem to be
right (not even Sony went out of business after their massive breach).

So it's perfectly reasonable for them to say they take security seriously and
then have these breaches. They take it exactly as seriously as needed to keep
their business alive.

Having been on that eBay security team mentioned, I can tell you that we did
in fact take security seriously. And sometimes what we recommended was done,
and sometimes it was decided the cost wasn't worth the risk. But we were
always serious about it.

~~~
JoachimSchipper
Most of the cost of bad security of a business are not borne by the business,
but by its customers. Business often do a bad job of weighing externalized
costs, and security is no exception.

~~~
akerl_
The business is responsible for the costs against itself, which include any
fines, any damage to their revenue due to customers leaving, and any resulting
litigation, to name a few. The business isn't responsible for costs borne by
customers which don't translate to those customers paying less money.

Given that the listed businesses are still operating and in most cases
continuing to turn similar profits to what they were doing before, they appear
to have done an excellent job weighing the costs in play.

You're welcome to think that the cost to the business should be higher, either
due to the public caring more (most paying customers at the moment don't even
consider whether the businesses they support care about security) or due to
increased fines and penalties for security failings. It may very well be that
we need to adjust those things via raising awareness or changing legislation.
But based on the current state of the world, these businesses all weighed
things in a way that kept them doing what they do.

~~~
peterwoo
You guys use the word "seriously" here in an entirely different sense than
these statements intend.

These aren't statements made to the board, they're PR statements made to
outsiders after huge breaches of customer/employee personal info. No one is
reassured in these times by a company being "serious" about security in the
sense that they have supposedly calculated its expected impact on their
profitability.

> Given that the listed businesses are still operating and in most cases
> continuing to turn similar profits to what they were doing before, they
> appear to have done an excellent job weighing the costs in play.

You can't know whether (even in an internal bookkeeping sense) the "tradeoff"
was net positive. The incidents still cost the companies money.

BP still exists and is highly profitable despite the spill and the ongoing
costs incurred. That doesn't mean, hey they must have given it serious thought
and found it costs more to inspect and maintain the rig than the $50B+ spent
cleaning it up.

~~~
akshatpradhan
>You guys use the word "seriously" here in an entirely different sense than
these statements intend.

I don't think security can be taken seriously unless specifically compliance
is taken seriously.

I claim something that few security professionals would say in their career:
Compliance is the magic bullet to taking privacy and security seriously. But
to understand why, we have to think about the the most reasonable alternative
to compliance as an approach to security.

Do you know what “full content packet capture” means? It’s when you’re able to
grab every piece of data transmitted over a network using a tool called
tcpdump. You can use another tool to reassemble those collected data packets
into complete applications, movie or music files, even video chats and phone
calls.

As a joke, an instructor once told me that when they went onsite to do
security investigations, they would do a full content dump; if someone was
downloading videos at the time, my instructor would say, “Thanks for the
movie, guys!”

This is what the Utah Data Center is doing. All packets are collected using a
tool like tcpdump, and then the Center reassembles them and categorizes the
content into data cubes (e.g., movies, video calls, emails) that are easily
findable with open source search engines such as Lucene and Solr. Is this
taking security seriously? You bet!

Enhanced Intrusions Detection Systems is how security is being taken seriously
and with a cost to privacy. If a hosting provider like Akamai — which, runs
15% of the world’s web traffic — is able to reassemble your packets, and even
archive them, is that what you want security to be?

Probably not, but when a security professional says "let's take security
seriously", to them it means just watch all the things. I remember in 2006,
after my IDS training, I was all for collecting every single packet (no matter
what) because I was taught as a security professional, that was the only way I
could do my job: watch everything, since we need to know everything about
anything. If you watch everything, that’s inherently security, and the world
is protected. That was my modus operandi for many years.

This is why taking privacy and security seriously really means taking
compliance seriously. Compliance lassos in "watch everything" while also
providing validation and proof of security. If we’re doing good hygiene (e.g.
Key rotation, log review, Change Control) on our systems, there’s no reason to
collect and watch everything.

The recipe to collect everything already exists but that means only security
is being taken seriously. I hope we start to take compliance seriously and
bring that into the privacy/security equation.

~~~
reagency
You seem to be conflating "security" with "insecure communications"

~~~
akshatpradhan
Share with me what you think are the most reasonable approaches to security
and privacy?

Option 1. Collect all the things.

Option 2. Just do good hygiene.

Aside from these two options, what else is available to provide a most
reasonable approach to protecting our customer's sensitive data?

EDIT: I'm the head of a compliance agency

~~~
akerl_
You should probably point out that you're the head of a compliance-focused
company.

Your previous 2 comments seem to be drawing a very strange dichotomy where the
only options for "security" are "capture all traffic" and "compliance". I'm
not even sure where to begin in responding to that, because it's so far beyond
any facts you provided in either update.

Neither compliance nor traffic capture are "security". Capturing _and
analyzing_ traffic can be a facet of a security stance, and structured
compliance frameworks can provide structure and goalposts for measuring your
security stance, but there's a near-infinite range of other factors at play
here.

~~~
akshatpradhan
I'm not sure I understand what you're saying. Capture all the things is
exactly what security professionals are asking for as the most reasonable
approach to securing sensitive data.

This video is proof:
[https://www.youtube.com/watch?v=R63CRBNLE2o](https://www.youtube.com/watch?v=R63CRBNLE2o)

Other security researchers have gone so far as suggesting Penetration Testing
and Risk Assessment are the most reasonable approaches to providing security
for sensitive data.

------
VieElm
I don't understand the criticism, what are they supposed to say instead? When
an attacked company says "we take security seriously" it's probably a
statement made by someone in the company who really does care about it and is
probably pretty upset about the whole ordeal and wants to fix it. This whole
attitude about corporations always being these evil lifeless monoliths who
don't care about anything and are just saying whatever they need to stands in
contrast with any place I've ever worked. Some of these companies are staffed
by people who do care and want to do the right thing and I don't understand
what the OP thinks they should say instead.

~~~
ProAm
"Caring" doesn't matter though, only execution does. Everyone cares about
obvious things that people should care about, it doesn't matter though if you
fail at what you are supposed to do. Only execution matters in business.

~~~
hippo8
But the fact is no matter how much money and effort you put in to it, someone
determined enough will find a way through.

What most people don't realise when it comes to computer security is, the
foundation on which our modern systems are built never anticipated this much
growth.

I think I am happy with companies that care enough to come forward and admit
their mistakes. IT security is hard, very very hard.

------
lvh
This article makes fun of people who get breached. This is less than helpful.

> “We take security seriously”, otherwise known as “We didn’t take it
> seriously enough”

This implies that if only the companies that got breached had taken security
more seriously, they wouldn't have gotten breached. In a world where databases
are valuable (the AFF example cited in the post, for example), software is
virtually impossible to get to zero defects, and where zero-day
vulnerabilities are traded on the open market, some big fish are going to get
popped.

The idea that getting breached means you're incompetent is toxic and needs to
stop; it just means that you're a sufficiently high-value target. It's very
possible (and quite likely) that many of those breached expended extensive
efforts in defense. The idea that they would've been fine modulo more security
expenditure not just a baseless assumption, it is in many cases patently false
(granted, there's plenty where it's true). As a security professional working
in customer-facing security, I'm helping exactly the people who are getting
breached, therefore I say that having a monetary motive to say that they _aren
't_ spending enough efforts and should give me more money ;-)

The article also ignores that knowing that you got popped probably already
means that you're in one of the higher percentiles of security posture...
That's sad, but, again, blaming the victims here helps no-one.

(By the way, if you too would like to help people who get breached instead of
making fun of them, we're hiring. Contact info in HN profile.)

~~~
programmernews3
As far as I know the most successful attacks on companies were based on very
simple techniques like phishing or similar easy techniques like SQL-Injection.
When we talk about data breaches of companies, it mostly hasn't something to
do with high sophisticated attacks using 0-days I guess. I'm not sure, would
you agree?

Of course companies tell you that there were victims of high sophisticated APT
attacks, otherwise they would have to admit, they had been compromised by
simple script-kiddy attacks.

Of course blaming victims doesn't help anyone. I want to emphasize here, that
not only the companies are victims but also the users and customers, who
mostly never received compensations after security failures.

------
nailer
The Adult Friend Finder attack in particular is awful - the leaked data is
incredibly sensitive and could be used to blackmail or manipulate the victims.

~~~
nota_bene
I'd feel awful too if my name was 'nailer' ;-)

~~~
nailer
I'm not in there. But thank you for the threat.

------
nickpsecurity
Anytime I see "We take security seriously" I get double skeptical about their
security stance. This is something that's best demonstrated by simply doing it
and the results speak for themselves. There's an obvious contrast between
organizations with well-managed INFOSEC and those that pretend. Especially
when a vulnerability is reported or a breach occurs. Extra-obvious then.

Businesses, just practice INFOSEC instead of preaching it. Better that way.

------
__david__
Though the words are nominally the same, the FBI quote has a distinctly
different meaning than all the others—I don't think it's quite fair to lump it
in with the rest. The FBI saying "we take threats seriously" means they are
willing to throw money at investigations and prosecutions. The other companies
don't have that particular power.

------
jakejake
It's not exactly fair because security is a process. Even following all best
practices, new attacks happen all the time. Sometimes the security process
includes post-attack investigation and mitigation.

It's quite easy to point a finger when you have a few servers that you spend
all of your time securing and monitoring. It's something else when you have
departments of people connected to your network and running services, breaking
policies, taking laptops out of the office, etc.

Nobody wants to see their data being breached. I applaud companies for
publicly sharing their investigation and response.

------
ProAm
Taking security seriously, and knowing what you are doing are often mutually
exclusive in business.

------
gesman
Hackers takes _your_ security (and your money) seriously too.

------
stephendicato
Is the issue that there was a lack of technical investment in security or a
shortcoming in their ability to communicate with their customers?

I'd argue many of the companies mentioned have invested heavily in security.
Whether their investment will prevent a compromise from a determined adversary
is likely unrelated to their investment.

Unfortunately, I suspect many of the mentioned companies had not equally
invested in how to properly communicate a compromise with their customers.

------
Walkman
This is human nature: we usually take actions after the fact.

------
benoliver999
People in the know: how do these breaches keep happening?

~~~
tptacek
It is dazzlingly expensive to run a 500+ seat IT organization in a matter that
is meaningfully hardened against attackers. Meanwhile, IT budgets are
calibrated against the last 20 years of typical IT expenses. That's despite
that fact that the last 10 years have drastically increased the risk of IT
security attacks, because:

* the technology adoption curve of attack techniques has made powerful attacks available to the "early majority" cohort of criminals

* computer science has demonstrated flaws in foundational technology that weren't widely known 15 years ago

* as online attacks have mainstreamed, an industry value chain has developed to monetize weaknesses

So it's business-as-usual in IT, despite the fact that when it comes to
security, "usual" has been redefined.

Basically no medium/medium-large company in the world is willing to spend the
amount of money (and make the usability sacrifices) it would take to
reasonably ensure resiliency against attacks. The most secure firms spend
anomalous amounts of money simply to elevate themselves to a point where they
(a) aren't the easiest targets and (b) have bought enough time to detect and
respond to incidents as they occur.

~~~
tel
If one had an infinite monetary and user acceptability/retraining budget...
what would a modern, secure 500+ seat IT infrastructure look like? Even in the
broadest of terms.

~~~
tptacek
* No unfiltered attachments in email, for definitions of "filter" that include "stripping out content and re-rendering in simpler formats", like "PDF->RTF" or something equally terrible.

* Fine-grained segmentation of all networks on need-to-know basis, informed by the org chart and detailed role descriptions for virtually all employees.

* No employee access to arbitrary Internet sites

* For employees that require Internet access, air gaps between computers that can hit Google and computers that can access company email

* Formal audits for minor software releases

* Expensive, heavily tested secure coding training for all developers

* Adoption of secure coding/design standards ("this is the XYZcorp way to make an SQL query" and "this is the XYZcorp way to render HTML"). Strict bans on deprecated interfaces.

* Employee access to sensitive internal applications (like document and image management) gated through Citrix-like environments, so you have to remote terminal in to get to the browser that actually talks to the application.

* Extremely minimal access provided to VPN users.

* Total 8021x-style lockdown of network ports and fascist policies against bringing own devices.

And so on.

There is zero chance this is ever going to describe any huge company.

~~~
stevoski
If I worked as a developer inside such an organisation, I'd quit. A sad side-
effect of rigorous IT security is the lack of productivity and day-to-day
frustrations experienced by the staff.

I've experienced this myself inside a major central bank. Most development
staff were a) demoralised and b) frequently adopting insecure work-arounds.

~~~
tptacek
So would I. But another way to look at this is, instead of "I'd quit", saying
"they'd have to pay me 3x more to work in a place like that". At which point
you can again start looking at it as an economic problem.

~~~
greyboy
You're right. I work at a place that does all but two of those, and I wouldn't
if they didn't pay me as much as they do!

~~~
tptacek
If you work at a company with more than 500 employees that does all but two of
those, I'd like to hear more about that. As I wrote those bullets, I filtered
them through my experience of consulting for F500 companies, and when I found
myself writing something I'd seen _reliably deployed_ across _entire
organizations_ , I edited the bullet until that was no longer the case.

About the closest I've come to seeing any of these bullets deployed reliably
is Microsoft's developer training and deprecation of the standard C library,
and that initiative was so out-of-the-ordinary that it was newsworthy, and
widely reported.

But to actually earn that bullet, Microsoft would need to deploy those same
measures across all its contractors, and, more importantly, deploy them on
_internal IT and line of business systems_ , not just the Windows and Office
codebases.

~~~
tel
I imagine some government facilities could hit that mark—based loosely on
descriptions of friends who have worked in such environments.

~~~
greyboy
Bingo.

