RE: Fwd: Why suing auditors won't solve the data breach epidemic

["Rui Pereira" <wavefront1 () shaw ca>]

Mind giving us a link to the article you are referring to?

Thank You , Rui 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of lonervamp () gmail com
Sent: June-22-09 8:13 AM
To: security-basics () securityfocus com
Subject: Re: Fwd: Why suing auditors won't solve the data breach epidemic

Normally passing off links to mailing lists annoys me, but I hadn't seen
this article so I have to grudgingly say thanks! :)

I don't like the idea of suing auditors. To me it smacks of just part of the
"pass the blame" game. I can be convinced, however... 


But if this continues, I'd like some feedback on some of my opinions on the
possible implications of this case:

1. If auditors can be sued, this may result in more strict contracts that
absolve auditors for these things?

2. This could result in the demand that auditors have even more visibility
and power on the networks they audit. No more turning off that server while
the auditors are scanning!

3. I think this should scare the rubber-stamp, unskilled auditors/pen-test
firms, but will it also scare away truly good ones?

4. Savvis may have missed a glaringly obvious checkbox with storing
unencrypted data (whether or not that even mattered in the actual breach;
it's arguable what your real value is in encrypting that layer). But does
that possibly just reinforce checkbox auditing?

5. What about auditors that do pass a client, but the client only looks good
when it is audit time? Will this lead to more 24/7 monitoring/auditing? One
may as well go with an MSSP or just beef it up inhouse, right? (Of course,
beefing up in-house means you can only fire someone for a breach and likely
can't get reparations like a lawsuit to a vendor.) I mean, seriously, how
often do companies turn on the alert dashboards or rush out patches only
during audit week?

6. Will any of this be compatible with what we all have to accept: security
cannot ever be perfect; plan for the breach.

And kudos to the author to do a quick glancing blow on the idea of suing
someone/something for the accuracy of their opinion, in relation to suing
for securities/firm valuations, etc.

My apologies for vomiting this whole thing out, but I wouldn't mind seeing
some discussion on it.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------