Comments: Our security sucks. Why can't we change? What's wrong with us?

as i've periodically mentioned before, we were brought into help word smith the cal (state) digital signature legislation ... and then later the federal legistlation
http://www.garlic.com/~lynn/subpubkey.html#signature

as part of that activity we were exposed to some of the disclosure/notification legislation work going on ... both with regard to the use of personal information as well as security breaches and data breaches. a few recent posts in various
threads mentioning notification/disclosers
http://www.garlic.com/~lynn/2007f.html#72
http://www.garlic.com/~lynn/2007f.html#75
http://www.garlic.com/~lynn/2007g.html#8

this somewhat, subsequently also got us roped into co-author of x9.99 financial privacy related standard ... somewhat in support of that activity i had done a merged privacy taxonomy and glossary ... reference here
http://www.garlic.com/~lynn/index.html#glosnote

and for other topic drift, some other recent threads ... much more on the integirty and security side of the topic ... as opposed to the notification/disclosure side of the topic
http://www.garlic.com/~lynn/2007h.html#36
http://www.garlic.com/~lynn/2007h.html#37

and separate part/aspect (which touches slightly more on some
of the business issues) in the same thread
http://www.garlic.com/~lynn/2007h.html#27
http://www.garlic.com/~lynn/2007h.html#28
http://www.garlic.com/~lynn/2007h.html#31

Posted by Lynn Wheeler at April 17, 2007 07:24 PM

I would add one other factor from Brian Chess at last year's OWASP conference. He talked about new companies that have low security risk (they have not accumulated assets yet), but high market risk (they need to build a business). Over time, successful companies accumulate assets and market position, these lines intersect, the company is successful they have lower risk on market share and they become a bigger security target, and so on. He was taling about startups, but I think the same concept applies in how firms perceive new solutions in general. SInce the lines cross over time this also explains why security always feels like it is playing catch up

http://1raindrop.typepad.com/1_raindrop/2006/10/brian_chess_on_.html

Posted by Gunnar at April 18, 2007 09:06 AM

It's not that we're unable to propose solutions, it's that they're hard to compare. My assertion is that once we overcome the desire to hide our errors, we can learn to compare in better ways.

Posted by Adam at April 18, 2007 04:10 PM

recent article from yesterday

Banks must come clean on ID theft
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/04/17/EDGEBOS87H1.DTL&feed=rss.opinion">http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/04/17/EDGEBOS87H1.DTL&feed=rss.opinion

from above:

Two separate studies recently reached conflicting conclusions: While one found that identity theft is on the rise significantly, the other reported that it is on the decline.

So which is it?

... snip ...

i had made a similar observation a month ago
http://www.garlic.com/~lynn/2007e.html#29 Securing financial transactions a high priority for 2007

also referenced here
http://www.garlic.com/~lynn/2007h.html#48 Securing financial transactions a high priority for 2007

previous post in this thread
http://www.garlic.com/~lynn/aadsm26.htm#57

and my oft repeated reference to old post on security proportional to risk
http://www.garlic.com/~lynn/2001h.html#61

and in some of the existing environments the attackers can possibly out spend the defenders possibly as much as 100:1
http://www.garlic.com/~lynn/2007f.html#75 Securing financial transactions a high priority for 2007
http://www.garlic.com/~lynn/2007g.html#20 T.J. Maxx data theft worse than first reported

Posted by Lynn Wheeler at April 18, 2007 08:06 PM

Cant believe they disagree if id theft is increasing or decreasing...

Posted by H. Dameure at April 8, 2008 05:36 PM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x5606ac874bf8) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.