|
|
|
|
|
|
by peterwoo
3995 days ago
|
|
|
You guys use the word "seriously" here in an entirely different sense than these statements intend. These aren't statements made to the board, they're PR statements made to outsiders after huge breaches of customer/employee personal info. No one is reassured in these times by a company being "serious" about security in the sense that they have supposedly calculated its expected impact on their profitability. > Given that the listed businesses are still operating and in most cases continuing to turn similar profits to what they were doing before, they appear to have done an excellent job weighing the costs in play. You can't know whether (even in an internal bookkeeping sense) the "tradeoff" was net positive. The incidents still cost the companies money. BP still exists and is highly profitable despite the spill and the ongoing costs incurred. That doesn't mean, hey they must have given it serious thought and found it costs more to inspect and maintain the rig than the $50B+ spent cleaning it up. |
|
|
I don't think security can be taken seriously unless specifically compliance is taken seriously.
I claim something that few security professionals would say in their career: Compliance is the magic bullet to taking privacy and security seriously. But to understand why, we have to think about the the most reasonable alternative to compliance as an approach to security.
Do you know what “full content packet capture” means? It’s when you’re able to grab every piece of data transmitted over a network using a tool called tcpdump. You can use another tool to reassemble those collected data packets into complete applications, movie or music files, even video chats and phone calls.
As a joke, an instructor once told me that when they went onsite to do security investigations, they would do a full content dump; if someone was downloading videos at the time, my instructor would say, “Thanks for the movie, guys!”
This is what the Utah Data Center is doing. All packets are collected using a tool like tcpdump, and then the Center reassembles them and categorizes the content into data cubes (e.g., movies, video calls, emails) that are easily findable with open source search engines such as Lucene and Solr. Is this taking security seriously? You bet!
Enhanced Intrusions Detection Systems is how security is being taken seriously and with a cost to privacy. If a hosting provider like Akamai — which, runs 15% of the world’s web traffic — is able to reassemble your packets, and even archive them, is that what you want security to be?
Probably not, but when a security professional says "let's take security seriously", to them it means just watch all the things. I remember in 2006, after my IDS training, I was all for collecting every single packet (no matter what) because I was taught as a security professional, that was the only way I could do my job: watch everything, since we need to know everything about anything. If you watch everything, that’s inherently security, and the world is protected. That was my modus operandi for many years.
This is why taking privacy and security seriously really means taking compliance seriously. Compliance lassos in "watch everything" while also providing validation and proof of security. If we’re doing good hygiene (e.g. Key rotation, log review, Change Control) on our systems, there’s no reason to collect and watch everything.
The recipe to collect everything already exists but that means only security is being taken seriously. I hope we start to take compliance seriously and bring that into the privacy/security equation.