Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Businesses Technology

Sad Reality: It's Cheaper To Get Hacked Than Build Strong IT Defenses (theregister.co.uk) 184

It's no secret that more companies are getting hacked now than ever. The government is getting hacked, major corporate companies are getting hacked, and even news outlets are getting hacked. This raises the obvious question: why aren't people investing more in bolstering their security? The answer is, as a report on The Register points out, money. Despite losing a significant sum of money on a data breach, it is still in a company's best interest to not spend on upgrading their security infrastructure. From the report: A study by the RAND Corporation, published in the Journal of Cybersecurity, looked at the frequency and cost of IT security failures in US businesses and found that the cost of a break-in is much lower than thought -- typically around $200,000 per case. With top-shelf security systems costing a lot more than that, not beefing up security looks in some ways like a smart business decision. "I've spent my life in security and everyone expects firms to invest more and more," the report's author Sasha Romanosky told The Reg. "But maybe firms are making rational investments and we shouldn't begrudge firms for taking these actions. We all do the same thing, we minimize our costs." Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company's annual revenues. That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues. As for reputational damage, Romanosky found that it was almost impossible to quantify. He spoke to many executives and none of them could give a reliable metric for how to measure the PR cost of a public failure of IT security systems.
This discussion has been archived. No new comments can be posted.

Sad Reality: It's Cheaper To Get Hacked Than Build Strong IT Defenses

Comments Filter:
  • by Anonymous Coward on Friday September 23, 2016 @02:24PM (#52948565)

    People have no options in the market for strong security, otherwise they'd punish these companies in sales.

  • Bottom line... (Score:3, Insightful)

    by __aaclcg7560 ( 824291 ) on Friday September 23, 2016 @02:25PM (#52948573)
    Your info is already scattered all over the Internet from previous data breaches. It's cheaper to do nothing than build infrastructure that won't add to the CEO's annual bonus.
    • Re:Bottom line... (Score:5, Insightful)

      by alvinrod ( 889928 ) on Friday September 23, 2016 @02:38PM (#52948677)
      If valuable information wasn't being stored in plain-text or otherwise easily accessible it wouldn't matter. The ideal solution is to avoid storing sensitive user information that isn't needed whenever possible and encrypt if you absolutely must store something sensitive (medical records, etc.) because the reality is that no matter how much you spend on defense, it only takes one successful attack to render it all pointless. Further, even with exceptionally secure software, it's often a weakness in the humans maintaining it or overseeing it that leads to a successful attack.

      It's safest to assume that no matter how good your security, someone will eventually break through. As such, any sensitive user data should be encrypted so that it's not feasible for it to be exploited or used nefariously by the hackers who broke in. Everything else is just mitigating risk or delaying attackers. A locked door or alarm system won't stop a truly dedicated burglar, but it will make most look for another target or make it easier for them to slip up during the process in some way that leads to finding them.
      • Re:Bottom line... (Score:4, Insightful)

        by sdinfoserv ( 1793266 ) on Friday September 23, 2016 @03:45PM (#52949201)
        Thinking just about personal information is way too simplistic. Think about corporations throwing IoT everywhere without a second inclination towards security. Step forward into a cyberattack where all those devices have cooling disabled and increase power consumption to break the device or start fires. We’re looking at a catastrophic loss of infrastructure not just the North Koreans knowing John Smith takes Viagra.
      • by Bert64 ( 520050 )

        In order for encrypted data to be used the decryption key must be somewhere, failure to protect the keys can occur just as easily as any other form of security failure.
        Also as users we have no idea how companies are storing our data anyway, so the only option available is for us to not hand it over in the first place.

    • In the Libertarian fantasy world, all of these companies with poor security would be punished by the Invisible Hand of the Market. People would boycott them and they'd go out of business.

      But we know for a fact that never actually happens, which is why people laugh at Libertarians and their childish, magical ideas about how the world works.

      • by tnk1 ( 899206 )

        The problem with the extreme libertarian ideal of what would happen is that it assumes that no one can generate a monopoly. Particularly the monopoly of force of a government.

        If that was not possible, it is possible that there would be more freedom for that mechanism to work, but as you say, those conditions don't seem to ever actually occur.

        The reality is that I think people want something that prevents anarchy, but they don't want it to become oppressive. I think government is okay in moderation, but it

      • The weakness of the whole Libertarian ideal is that it turns out there are a lot of legal ways for one person to totally screw over another.
        • The weakness of the whole Libertarian ideal is that it turns out there are a lot of legal ways for one person to totally screw over another.

          Yes, and with corporations who can field armies of lawyers and PR campaigns, it's a million times worse than what one person can do.

      • by dnaumov ( 453672 )

        In the Libertarian fantasy world, all of these companies with poor security would be punished by the Invisible Hand of the Market. People would boycott them and they'd go out of business.

        But we know for a fact that never actually happens, which is why people laugh at Libertarians and their childish, magical ideas about how the world works.

        That's a rather retarded way of looking at things. The "Invisible Hand of the Market" is essentially the total sum of people giving a shit (and amount of shit being given by said people) about an issue one way or another. The article being discussed is prime example of people simply not (yet, currently) giving a shit about getting hacked. Nobody promised you that the "Invisible Hand of the Market" will do shit that YOU want to happen.

        • The real problem with the Libertarian ideal is that markets need accurate information in order to function properly. Accurate information is very hard to get in certain fields. Accurate information is hard to get when the major media outlets are controlled by a small number of people.

          For example, what percentage of security breaches become public knowledge? I would doubt that it is as high as 10%.

          • The real problem with the Libertarian ideal is that markets need accurate information in order to function properly. Accurate information is very hard to get in certain fields.

            Like when a huge corporation decides to mount a PR campaign to cover up their misdeeds. Even when people have all the information they need to make a decision, they still act against their own best interests. For a classic example, look no further than the Catholic church and their record of molesting children. It's proven that they've been doing this literally for centuries, and yet the suckers still line up to fill the donation plates.

            If you won't boycott them to save your own child, why would you bother

        • That's a rather retarded way of looking at things.

          I agree; the Libertarian notion of how things work is indeed a retarded way of looking at things.

          -

          The "Invisible Hand of the Market" is essentially the total sum of people giving a shit

          And since most people won't give a shit for any number of reasons (lack of interest, lack of info, etc) then the "Invisible Hand of the Market" is a fantasy. It simply isn't a real thing.

          -

          Nobody promised you that the "Invisible Hand of the Market" will do shit that YOU want to happen.

          Exactly, and I thank you for making my point for me. And to take it a step further, nobody can promise anyone that the "Invisible Hand of the Market" will do anything at all, period. That's because it doesn't actually exist in

          • by dnaumov ( 453672 )

            Exactly, and I thank you for making my point for me. And to take it a step further, nobody can promise anyone that the "Invisible Hand of the Market" will do anything at all, period. That's because it doesn't actually exist in the real world.

            So you are basically saying nothing ever happens because noone ever gives shit about anything. How did you come to this blatantly false conclusion?

    • by AHuxley ( 892839 )
      Encryption or stay with plain text storage? Yacht design can get extra feet this year or waste profits on real encryption?
      Seems the yacht design costs win every decade.
  • by Joe_Dragon ( 2206452 ) on Friday September 23, 2016 @02:26PM (#52948587)

    And you can bill the hacker the costs to fix stuff even when the system had no security at all.
    Like our doors had no locks on them at all and some one broke in and now we have costs of $ to install locks on the doors.

    • by JoeMerchant ( 803320 ) on Friday September 23, 2016 @02:44PM (#52948719)

      It is also cheaper (and usually more pleasant) to live in houses with breakable glass windows and pickable locks, and just prosecute the burglars who flaunt the niceties and come in anyway.

  • by Khopesh ( 112447 ) on Friday September 23, 2016 @02:35PM (#52948641) Homepage Journal

    This report looks at a lot of data, but (as noted in the Limitations section) it's only what was publicly available. Lots of breaches, especially w.r.t. ransomware, go unreported. Lots of breaches go undetected and/or aren't as easily measured as money (e.g. a rival company steals your un-patented trade secrets).

    However, my biggest issue with this analysis is that its conclusion makes no sense. It says that the cost of cyber breaches is roughly equal to the cost of maintaining a defense. This paper fails to account for how money spent on cyber-defense reduces the money lost to cyber-attacks. If you're advocating for a radical reduction in InfoSec, this is the (only!) figure that matters.

    Information Security is important, and there is good work being done here and more work needed. Cutting the InfoSec teams down will correlate to an increase in attacks that get through. This paper seems to be suggesting that reduced InfoSec budgets will somehow also limit the damage they combat. That makes no sense.

    • In an optimal world, the costs would balance. If you spend zero on defense, then the breaches will increase due to the lack of defense. So, spend some on defense, make it harder to breach, breaches will always be possible, so where's the sense in spending more on defense than the breaches are costing?

      Now, in military systems, the potential cost of a breach is rather high...

  • by BoRegardless ( 721219 ) on Friday September 23, 2016 @02:37PM (#52948665)

    Then the spending on security will go up.

    • When are we going to start spending effort on "Lawyer control"?

    • by tiberus ( 258517 )
      Or until a breach results in death. You know like when it becomes cost effective to put in a new stop light, or change a medical practice/procedure (of course that usually take more than one death).
    • And got Congress to pass a law making arbitration legally binding. SCOTUS just recently upheld it. You'll find a clause in the EULA of every service you use. You done got sold out again.
    • by tnk1 ( 899206 )

      Although lawsuit comes far too late to protect the people who needed to protect their data more than they needed a $30 rebate from a class action suit.

      Make no mistake, the article makes this very clear. Most of the downside of not spending on security is on the customers, not on the business that got hacked.

  • Best defense (Score:4, Interesting)

    by eyepeepackets ( 33477 ) on Friday September 23, 2016 @02:38PM (#52948669)

    Don't use the internet for anything business related until business gets serious about fixing the problem. These people just want their profits and, like they learned getting that MBA, the easiest way to do profits is to re-direct costs. In this case, put the costs of doing business online onto the customers. Seriously, who pays the real price when a business gets hacked and all the customer data goes walking out the door/server? The customers suffer from having their data abused, that is who suffers.

    Do you trust your ISP with your bank account number, address, phone number, etc? How about your bank? Your employer? Your local utilities? How many of these types of businesses have you seen hacking reports on these past years? All of them, repeatedly, every year.

    Do you remember in 1995 when the business and banking communities were warned that the internet was not designed with security in mind, but the complete opposite? Do you remember that they all just said the business opportunities were just too great to ignore and that security would naturally follow usage?

    The internet is not for business; the internet is for porn!

  • Clouds (Score:2, Funny)

    by Anonymous Coward
    It's the cloud. Did any serious security tech ever think that was a good idea.
  • It depends (Score:4, Interesting)

    by acoustix ( 123925 ) on Friday September 23, 2016 @02:42PM (#52948707)

    I'm hearing about cases where companies got hit with cryptolocker type viruses. And it wasn't something just just happened in a 30 minute period. It was a sleeper virus that waited 72 hours before activating, which invalidates all of your recent backups. All it would take is a sleeper to take 1 month, 6 months, etc to activate and then bam - you're done. No good backups. No data = no company. It would be a nightmare.

    • by mentil ( 1748130 )

      Someone would notice even within 72 hours that their database had been encrypted and was inaccessible. You simply restore the database from a backup, after restoring the code. My understanding is that regular 'data backups' only back up the database, and that the software platform that the server runs is backed up to a separate location, only when intentionally modified, and thus less frequently. If the code were modified by a virus, then you'd restore from a version from before the intrusion. If people are

    • If I have a backup of my data taken before a virus "activates", how is that backup invalidated?
      • by Mal-2 ( 675116 )

        The virus is still there and will immediately re-activate on restoration because the current date is past its activation date.

        • No, a virus will not "immediately re-activate on restoration". For a virus to "activate", some form of execution is required. Restore your data files only, or don't run infected executables from your backup.

          Yes, there have been viruses that infect data files, such as PDF documents, Word documents, or graphics files, but even so, these would not "immediately re-activate on restoration".

          • by Mal-2 ( 675116 )

            You're right, I was thinking full image backups, such as you might use to get the system running again in a pinch. Those would just immediately collapse again.

            • That's not to say it wouldn't be a major headache though. One problem I've found with ransomware viruses is that they can chew through such huge numbers of files it makes selective restoration very difficult.
        • by tnk1 ( 899206 )

          That's why you don't back up servers, you back up data.

          Installed server software like the application and OS, especially in this day and age, should be completely disposable. Unless they can cryptolock you somehow from a dump file or an oplog, all they have done is cause a short outage and annoy the shit out of some admins.

          Wipe the hardware, reinstall from your golden image and have your configuration management software reconfigure things, and then restore from backup.

          Not to mention with any redundant DB

  • If you find a vulnerability, companies must be exposed loudly and embarrassingly as possible [medium.com]. That (or legal threats) are the only things that can stop them.

    Remember, there are companies out there that still don't hash passwords.
    • If you find a vulnerability, companies must be exposed loudly and embarrassingly as possible [medium.com]. That (or legal threats) are the only things that can stop them. Remember, there are companies out there that still don't hash passwords.

      One major flaw in your theory here. When everyone these days gets hacked, it's not really embarrassing for anyone to admit it's happened.

      It's kind of like admitting you've had diarrhea before. Big fucking deal. So has the other 99.9% of the human race.

  • by somenickname ( 1270442 ) on Friday September 23, 2016 @02:53PM (#52948799)

    If it's truly the case that it's cheaper to let data breaches happen than to protect against them, then some sort of incentive (or, punishment) needs to be put into place to change that situation. This is one of the few areas where government intervention is actually warranted: When something is not in the best interest of corporations but is very much in the best interest of citizens.

    It's probably cheaper to let factory workers die on the job than it is to put all the safety measures in place to ensure they don't. Yet corporations put those safety measures in place anyway. They don't do it out of fondness of the workers, they do it because the government will shut them down if they don't.

    • Are you saying you want an internet version of osha?

      Data centers could have a calendar with the number of days since the last breach... and a nifty poster about securing data in the break room.

      • Are you saying you want an internet version of osha?

        Not quite but, kinda. I think data breaches should be very expensive to a company. Expensive enough that it's worth protecting against them. It's obvious that the market isn't going to go out of its way to prevent these breaches because, frankly, the costs are externalized (onto the people who have had their data breached). If the costs were internalized, you can bet your ass that companies would take security more seriously.

        If, on average, a data breach costs each breached customer like $5, then fine t

        • Yahoo told the world about this breach about 2 years after it happened. If there were a company destroying fine, they might never have told anyone ? Such fines will also give rise to a kind of insurance against it. Since such fines are large, insurance companies might take over the disclosure of this breach - making it the business of even deeper pockets to hide this information.

          If, on average, a data breach costs each breached customer like $5, then fine the company $10 per breached record

          Do you see this average being computed across all service providers? Specific industry?

          If the cost is per breached customer regard

    • Comment removed based on user account deletion
      • If someone was going to die as a result of a malfunction or breach of a system, we'd demand it be air-gapped and have robust CM. There would be hell to pay as a result of failure - think hospital systems. Or military systems.

        Yes, these systems never get hacked. And people never die because of the hacks...

        The thing is, most of the systems businesses use aren't all that important in the grand scheme of things. No one is going to die if Twitter or Walgreens has a breach.

        Nonsense. It's entirely possible to have a company let your data get stolen and then not learn about that breach until years later (Yahoo). That information leak could lead to all sorts of things (particularly, credit reports) that would genuinely and profoundly affect your life. This isn't "Oh noez, hackers know my home address", this is, "Fuck, they know enough about me to open credit cards in my name".

        Cue "assumed breach"...we must assume that systems like Twitter and Walgreens are breached and are leaking data. Therefore, conduct any business with them while insulating yourself from the consequences of said breach.

        Agreed. And, as it

    • Factory workers got protection because there were a lot of them and they formed Unions. Security breaches only hurt a few people and they're completely unorganized. Hell, when the mega corps got tired of safety they just moved the factories. If we let then weasel out of that we'll let then weasel out of this. Besides, Americans pride themselves on luck. The lucky ones will be fine.
    • by tnk1 ( 899206 )

      Yeah, except the government can't secure itself, and you think they are the solution to securing everyone else?

      It's going to be security theater all the way down.

  • A persistent threat that can't be effectively eliminated in a cost effective manner and the easiest way to deal with it is to just make it sort of hard and pass the remaining costs onto consumers?

  • Except that the best defense against hacking is user training, policies, network segmentation and other low-tech solutions combined together into an intelligent overall strategy...

    If you think you can just go out and buy security, you are most likely getting fleeced.

    • I think you have hit the nail on the head. Everyone wants a magic device or application that will stop all threats. Working as a security person I frequently interact with companies selling magic boxes and unfortunately it is most often at customer sites trying to integrate the steaming pile with the customer's existing system. My personal favorite interaction with a company selling a magic device was one that was selling a NIDS type device and my first question to them was "What does your product offer me
  • by buss_error ( 142273 ) on Friday September 23, 2016 @03:03PM (#52948869) Homepage Journal

    113 million dollars to fix.
    49 million dollars for the death and destruction costs.
    Ford chose death and destruction over the lives of customers.

    To this day I won't own Ford.

    http://www.popularmechanics.co... [popularmechanics.com]

    • 113 million dollars to fix.
      49 million dollars for the death and destruction costs.

      Hate to break it to you, but the choice here is obvious. You compare values and go for the option with the highest value (or lower cost). Tasty food is worth more than life itself. Money is worth more than life itself (see people skimping on their own safety equipment to save money). Fun things like mountain climbing and skydiving are worth more than life itself.

      When people overvalue life they start making decisions like strip-searching all passengers before allowing them on an airplane slightly reduce an a

      • by tnk1 ( 899206 )

        Well, it is important to point out that no one really thinks their life is less important than tasty food. The real factors are:

        There is always a reasonable probability that it won't be what kills you. That bacon triple cheeseburger may eventually kill you, but your smoking habit will probably do that first. You're going to die of something, you're betting you don't live long enough so that all of your bad decisions play out.

        Second, people just have really bad perception of relative risk. That's why so

    • From your link: In the ensuing years, though, some doubt has been cast on the relative severity of the defect. Reports range from 27 to 180 deaths as a result of rear-impact-related fuel tank fires in the Pinto, but given the volume of more than 2.2 million vehicles sold, the death rate was not substantially different from that of vehicles by Ford's competitors. The far more damaging result for Ford was the PR disaster. The company long endured a reputation for putting profits ahead of build quality, which,

    • Ford chose death and destruction over the lives of customers.

      To this day I won't own Ford.

      Get ready to change your mind! Hear from the engineer who caused the pinto not to be recalled:

      But does a rear-positioned gas tank qualify as traceable cause? Traceable cause suggests a deviation from the norm. It turns out, however, that most compacts of that era had fuel tanks behind the rear axle. A former head of the N.H.T.S.A. testified on Ford's behalf, stating that in his opinion the Pinto's design was no more or

  • If your idea of defense is buying hyper expensive checkboxes, then yes. If you do the little things like actually doing updates, actually configuring your servers properly, etc than perhaps not.

    • I was just going to post when your comment made me rethink the whole thing and write this reply instead.

      Having worked in I.T. for 25 years or so now, I'm pretty familiar with the "computer security" marketplace. Most of the time, you've got a combination of "former hackers who decided they could make a living out of selling comp-sec stuff" and big companies seeing $$$$'s by getting behind these initiatives to sell solutions.

      Meanwhile, in the rest of corporate America, I.T. expenditures are increasingly unde

      • by tnk1 ( 899206 )

        I don't know, I've been in IT for about as long as you have, and I have never seen where IT was more than overhead, unless the company itself was a tech company, and even then, internal IT is still overhead.

        • Right. We don't make money for the company. We are overhead. That is exactly it.

          But... even without a huge budget, it is not that hard to come up with good security practices that cost next to nothing extra. Things like user training, keeping on top of updates, good policies and good enforcement are huge parts of security... because really, people are the insecure parts of networks.

    • by tnk1 ( 899206 )

      I agree that some pretty routine protection can give you a considerable amount of value.

      But it wouldn't stop a concerted attack on you. You'd have been vulnerable to something like Heartbleed for two years, even if you patched every hour of every day of that two years. There have been other examples of obscure vulnerabilities that have been very serious and still missed for all of that. There are definitely things out there that no one knows about, or no one has gotten around to fixing yet. All it takes

      • by sjames ( 1099 )

        And what would the expensive checkbox appliances have done about heartbleed? Nothing.

        You are correct that there is no such thing as perfect security. That is true no matter what approach you take and no matter how much time or money you throw at it.

  • He also noted that the effects of a data incident typically don't have many ramifications on the stock price of a company in the long term. Under the circumstances, it doesn't make a lot of sense to invest too much in cyber security.

    And that's the bottom line. And this should worry people that put so much personal data on social media, but it won't. Honestly, there's no news here, considering that not many care about their own personal data's security.

  • by nuckfuts ( 690967 ) on Friday September 23, 2016 @03:09PM (#52948921)

    Having tried the preventive approach on computer security for years, I came to the reluctant conclusion that it's a losing game. In every business scenario I've dealt with, it is simply impossible to protect against every threat and every zero-day exploit that comes down the pipe. Software patching, firewalls, antivirus, specialized appliances, you name it - they all have their limitations. You can protect against any number of possible exploits, but if only one gets through, you lose. So businesses must weight the costs spending more and more on preventive security solutions versus the cost of a security breach.

    Obviously the implications of a breach are more severe for some businesses than others, but in many cases I deal with it makes more sense to focus on a good recovery solution rather than focussing mainly on prevention.

    • You bring up an interesting point. Recovery is the last line of defense. There may not BE a defense (at any price) to ward off the latest zero-day exploit. When security measures become difficult or expensive, it's important to remember that there is no such thing as 100% prevention. At some point, beefing up security reaches a point of diminishing returns. Although a business model MAY collapse due to security issues, it will SURELY collapse if overhead cost exceeds revenue.

    • Having tried the preventive approach on computer security for years, I came to the reluctant conclusion that it's a losing game. In every business scenario I've dealt with, it is simply impossible to protect against every threat and every zero-day exploit that comes down the pipe. Software patching, firewalls, antivirus, specialized appliances, you name it - they all have their limitations. You can protect against any number of possible exploits, but if only one gets through, you lose. So businesses must weight the costs spending more and more on preventive security solutions versus the cost of a security breach.

      Obviously the implications of a breach are more severe for some businesses than others, but in many cases I deal with it makes more sense to focus on a good recovery solution rather than focussing mainly on prevention.

      You're exactly right. The first thing that I tell people about computer system security is that there is no such thing.

      As you said, in computer security when you're on the defense -- you lose. All you can do is raise the bar as high as you can with the budget and resources given to you, and then you plan for recovery with the expectation you'll need to at some time. Security is risk mitigation and nothing more.

      I think the issue here is that when people are having their information compromised in a widely pu

    • In every business scenario I've dealt with, it is simply impossible to protect against every threat and every zero-day exploit that comes down the pipe

      A lot of the exploits we've seen haven't been zero-days or complex attacks. They've been low-hanging fruit that would never be left open by an admin like you.

  • The $200k figure is internalized costs; the cost of providing free credit protection to those affected (which almost noone takes them up on), and investigators to figure out what was breached, how, by whom, and to maybe patch the hole they got in through. The externalized amount, the burden on those whose data was stolen, is far greater. Also, one has to keep in mind that most breaches are minor incidents involving insiders; they cost very little to fix (change password: done) and no further spending is nec

    • The $200k figure is internalized costs; the cost of providing free credit protection to those affected (which almost noone takes them up on), and investigators to figure out what was breached, how, by whom, and to maybe patch the hole they got in through.

      This is a good point about the PR stunt of credit protection. What a joke.

      The externalized amount, the burden on those whose data was stolen, is far greater.

      Also a really good point. Until someone class actions up on a few of these companies we're going to see IT security continue to race to the bottom just like everything else in this industry.

  • Right now, I'd say a substantial part of the problem is insurance protection against cyber attacks.

    If a company can go to a bog-standard insurance company like Travelers or AIG and spend a small fraction of both the real breach cost and the cost of actually securing things, they will - the profit motive demands it.

    What the profit motive DOESN'T demand is the insurance company look at their costs with a blind eye. Right now, I'm sure a large number of those policies are untriggered, so in aggregate, th
  • by ArhcAngel ( 247594 ) on Friday September 23, 2016 @03:38PM (#52949135)
    I didn't see any mention of the productivity losses incurred by heightened security either. Our VPN is so locked down it's almost impossible to get things done remotely unless you happen to work in a business unit that is permitted to use terminal servers. To this day we aren't allowed to have video conferencing with parties outside the corporate firewall. I'd estimate the productivity loss to be around 5-10% of overall effectiveness.
  • Comment removed based on user account deletion
  • by whitelabrat ( 469237 ) on Friday September 23, 2016 @03:52PM (#52949251)

    You can spend glorious tons of money on security and still get hacked. The problem lies is the internet has no boundaries built in and folks are trying to hide information. If it's networked to the internet, directly or indirectly, that information can get shared. Period.

    How to fix? Only information you're willing to share with the whole world should be on a system that is networked.

  • Just realize half of all penetrations are as a result of social engineering or tokens that get passed out beyond your control.

    Patch: keep your servers and workstations and laptops and mobile devices patched to the latest fix. Realize the latter two have a high chance of not being, due to their nature.

    Backup: keep both daily and periodic backups. Have periodic full backups offsite. Always assume people will corrupt and mess with your key files. Keep offline offsite versions of those.

    Rotate: don't always do t

  • add in the lost business from people who don't shop or use their services anymore? I haven't shopped at Target or Home Depot since they lost my data.

  • by KonoWatakushi ( 910213 ) on Friday September 23, 2016 @06:10PM (#52950113)

    x86 and systems based on it are hopeless from a security perspective, and that is even before considering the ticking time bomb that is Intel's Management Engine. It will be exploited eventually, and it would be surprising if the NSA wasn't already compelling Intel to backdoor it.

    See the Mill security architecture [millcomputing.com], for an example of how a clever architecture can eliminate the bulk of common exploit vectors, and require little more than a recompile. It isn't the only option, but I highlight the Mill because it is a fascinating and novel architecture which also addresses many other long-standing issues with conventional systems. The security mechanisms also enable performant microkernels to be built, and protection between applications and libraries.

    Operating systems will require work to take advantage of the protection features, but that will benefit everyone and be well worth the investment. This is the kind of "cyber" initiative I would like to see, rather than the focus on offensive capabilities. The latter poses a direct conflict of interest with securing systems, and ensures that adversaries will stock vulnerabilities rather than share and fix them.

  • Dear Penthouse -

    Whoops, wrong place.

    Anyhow...About 22 or so years ago I was sitting in the hot tub with my girlfriend at her apartment complex in Mountain View when two dorky young guys come and jump in with us. I'm thinking "swell, we're usually alone out here all evening and there go my immediate plans for a little semi public nooky".

    One starts talking about how he and the other guy are going to start up this search company named Yahoo and went on and on about it. Eventually they left and I turned to my

  • Comment removed (Score:4, Insightful)

    by account_deleted ( 4530225 ) on Saturday September 24, 2016 @12:17AM (#52951803)
    Comment removed based on user account deletion

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...