upvote

points

by nostrademons6 hours ago |
comments
upvoteby bootsmann5 hours ago|
next
[-]
> but now there's a very strong incentive to not report data breaches and have your insurance premiums go up or government regulation come down

I would argue the opposite is true. Insurance doesn’t pay out if you don’t self-report in time. Big data breaches usually get discovered when the hacker tries to peddle off the data in a darknet marketplace so not reporting is gambling that this won’t happen.

reply
upvoteby awesome_dude2 hours ago|
parent|
[-]
Curious how the compromised company can report if the compromise has not been detected
reply
upvoteby RGamma5 hours ago|
prev|
next
[-]
There need to be much more powerful automated tools. And they need to meet critical systems where they are.

Not very long ago actual security existed basically nowhere (except air-gapping, most of the time ;)). And today it still mostly doesn't because we can't properly isolate software and system resources (and we're very far away from routinely proving actual security). Mobile is much better by default, but limited in other ways.

Heck, I could be infected with something nasty and never know about it: the surface to surveil is far too large and constantly changing. Gave up configuring SELinux years ago because it was too time-consuming.

I'll admit that much has changed since then and I want to give it a go again, maybe with a simpler solution to start with (e.g. never grant full filesystem access and network for anything).

We must gain sufficiently powerful (and comfortable...) tools for this. The script in question should never have had the kind of access it did.

reply
upvoteby w10-15 hours ago|
prev|
next
[-]
You are asserting that security has to be hand-crafted. That is a very strong claim, if you think about it.

Is it not possible to have secure software components that only work when assembled in secure ways? Why not?

Conversely, what security claims about a component can one rely upon, without verifying it oneself?

How would a non-professional verify claims of security professionals, who have a strong interest in people depending upon their work and not challenging its utility?

reply
upvoteby Paracompact4 hours ago|
parent|
[-]
Not the person you are responding to, but: I would agree that at the stage of full maturity of cybersecurity tooling and corporate deployment, configuration would be canonical and painless, and robust and independent verification of security would be possible by less-than-expert auditors. At such a stage of maturity, checklist-style approaches make perfect sense.

I do not think we're at that stage of maturity. I think it would be hubris to imitate the practices of that stage of maturity, enshrining those practices in the eyes of insurance underwriters.

reply
upvoteby baxtr4 hours ago|
prev|
[-]
You’re making many assumptions which fit your worldview.

I can assure you that insurers don’t work like that.

If underwriting was as sloppy as you think it is insurance as a business model wouldn’t work.

reply
upvoteby Veserv3 hours ago|
parent|
[-]
Err, cybersecurity insurance as a business model has not worked. I have seen analyst reports showing that there have been multiple large claims that are each individually larger than all premiums ever collected industry wide. Those same reports indicated that all the large cybersecurity insurance vendors were basically no longer issuing policies with significant coverage, capping out at the few million dollar range. Cybersecurity insurance is picking up pennies in front of a steamroller; you wonder why no one else is picking up this free money on the ground until you get crushed.

Note, that is not to say that cybersecurity insurance if fundamentally impossible, just that the current cost structure and risk mitigation structure is untenable and should not be pointed at as evidence of function.

reply