Re: More bad news for risk management

[Jeffrey Walton <noloader () gmail com>]

Hi Valdis,

I understand you and Tom.

On Sun, Aug 19, 2012 at 11:29 AM,  <valdis.kletnieks () vt edu> wrote:
> On Sat, 18 Aug 2012 12:17:40 -0400, Jeffrey Walton said:
> > On Fri, Aug 17, 2012 at 12:43 AM, Tomas L. Byrnes <tomb () byrneit net> wrote:
> > > Ignoring risk is a perfectly valid way of managing it, if the return of
> > > putting the resources into the risky endeavor exceed the costs of
> > > putting them into managing the risk.
> > I know its common practice, but I respectfully disagree. Its been my
> > experience that most problems can be solved correctly from an
> > engineering standpoint.
>
> Reading comprehension fail.  Tomas's point is that yes, often there *is* an
> engineering solution.  But if you invest $250K in an engineering solution for a
> problem that only risks $100K loss, you're being stupid.  At that point, just
> making a note that you have a potential $100K liability and getting on with
> your life *is* the proper way to manage that risk.
I agree that's the way its done in practice.

Here's my "devil's advocate" view (from experience). A software
development team drives requirements and design for an account
management package, and comes up with a crummy, insecure solution.
(Developer driven software is some of the worst software I have ever
seen).

Now, say a bank uses the solution. They send it through a security
review and find its full of holes and should not be used. The bank
will say: on one hand, it will cost us 10's of thousands of dollars
and months  of time to design and implement this server software
correctly. In the months that pass, we will loose 100's of thaousands
per month because we lack the feature (customers will go to another
bank). However, it will cost us 50 cents per customer to send out the
data breach letter if something goes wrong.

Later, the server software is breached and 1,000,000 customers have
their names, addresses, and social security numbers stolen. It costs
the bank 500,000 to mail letters. Meanwhile, 1,000,000 people could
endure a lifetime of msery because it was cheaper for the bank to
allow the breach to happen.

I work in this area (security architectures and reviews), and I'm the
guy who points out the defects in the systems. When I fail a system,
it goes on to risk acceptance.

As I said, risk acceptance is a pervision to justify use of unfit and
defective systems. It only benefits the folks who want to to use the
system, often in the persuit of money; and sacrifices the folks who
are part of a system. Often, the unsuspecting souls don't realize they
are even part of a defective system.

Jeff
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.