[Dataloss] rant: Abandon Ship! Data Loss Ahoy!

Mark Simon msimon at eclipsecurityllc.com
Wed Mar 19 15:45:56 UTC 2008 

The false sense of comfort with various security products is due to the
lack of transparency concerning breach occurrences.  It is the rare case
where an exploited vulnerability is identified and described in detail
for the public.

As embarrassing as it may be, we need to share more details about breach
incidents.  Organizations should be encouraged to redact and anonymously
publish post-incident reports so the public, including other information
security professionals, can learn about security tools that have failed
to help TJX and many others prevent or earlier uncover intruder
activities.

It would also help if trusted organizations, such as US-CERT, would
provide anonymity and publication facilities allowing organizations to
report details concerning breach occurrences.   Congress passed the
Communications Decency Act (CDA) in 1996. The Act contains language
under the heading - Protection for Good Samaritan blocking and screening
of offensive material - which provides, "No provider or user of an
interactive computer service shall be treated as the publisher or
speaker of any information provided by another information content
provider."  CDA 230 further provides that "[n]o cause of action may be
brought and no liability may be imposed under any State or local law
that is inconsistent with this section." 

So, find a publisher and get publishing.

Mark.

--
Mark S. Simon, Director of Regulatory Compliance Consulting 
Eclipsecurity, LLC
Mobile: (224) 612-3101
Office: (847) 850-5088
Toll Free: (877) 369-5331

www.eclipsecurityLLC.com


Lock-in success.  Because information travels...


The information contained in this message may be CONFIDENTIAL and is for
the intended addressee only. Any unauthorized use, dissemination of the
information or copying of this message is prohibited. If you are not the
intended addressee, please notify the sender immediately and delete this
message. 

 


-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Jamie C. Pole
Sent: Tuesday, March 18, 2008 8:57 PM
To: dataloss at attrition.org
Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!


Yup.  And does anyone doubt that a company using Qualys would be in the
same boat?

All of these vendors that sell non-functioning crapware are seriously
damaging the efficacy of online commerce moving forward.  They sell a  
false sense of security.  Nothing more.  PCI compliance in a box?   
Yeah, right...

Then again, Visa is also very much to blame.  Until Visa gets serious
about PCI compliance and starts certifying expert security
practitioners, rather than clueless companies with big checkbooks, this
is just going to keep happening over and over again.  Visa should be
paying expert security practitioners to do PCI compliance assessments,
rather than having the big consulting companies pay THEM for the
privilege of saying they are certified to conduct PCI assessments.

All of these automated vulnerability assessment processes achieve the  
same result - they identify only the lowest of the low-hanging fruit.   
Automated tools might identify the exposures that script kiddies are
looking for, but they most certainly can't identify the exposures that
motivated and competent hackers are looking for.  Show me an automated
tool that can identify vulnerabilities that are contingent on the
successful exploit of other vulnerabilities, and I just might change my
mind.  I'm not going to hold my breath, because companies are too
wrapped up in buying automated scans for $19.99 per host.  As we can
see, they always get exactly what they pay for.  What exactly do they
think they are buying??

What's even worse is that there are "security consultants" running
around telling the world that they base their entire vulnerability
assessment offering on some of these useless tools.

Oh, well...

Jamie



On Mar 18, 2008, at 8:53 PM, lyger wrote:

>
> http://attrition.org/security/rant/z/rapid7.html
>
> Tue Mar 18 16:10:57 EST 2008
> d2d
>
> You are a security vendor. You sell the mightiest security doohickey 
> the world has ever seen. It does it all, including "...ensuring your 
> network is safe from hackers..." and amazingly it "...scans for Web 
> site and database vulnerabilities that hackers can use to capture 
> credit card information without you being aware". Since your doohickey

> does what no others have ever successfully managed to do, you can tout

> your client list proudly, and pimp your customer implementations 
> liberally.
>
> UNTIL...
>
> One of your customers joins the etiolated top 10 with a massive hacker

> perpetrated data loss incident.
>
> OUCH.
>
> [...]
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org) 
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring

> solutions for large and small networks. Scan your network and monitor 
> your traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

More information about the Dataloss mailing list