FTC can now fine companies for getting hacked

Not sure if this has been posted already....pretty big deal for the infosec community, though.

Court Says the FTC Can Slap Companies for Getting Hacked | WIRED

Find more posts tagged with

Comments

Matt2

Hopefully this will drive companies to work hard (or at least some) at security.

636-555-3226

I read the actual opinion. It's pretty easy to understand. Basically Wyndham's privacy policy said they were specifically going to do x, y, and z to protect their customers' data. They got hacked, and it turns out they weren't actually doing x, y, and z. The lesson here is that if you're going to tell your customers that you are doing x, y, and z, then make sure you're actually doing x, y, and z. Otherwise they can sue you for lying to them, and that's what basically happened here (altho it was the FTC doing the suing).

veritas_libertas

*Warning I didn't read the article. TL;DR*

Because if you are hacked means you didn't do everything right...

Sorry, even if you do your best you may still get compromised. The important question is, how long will it take for you to detect it? I dislike the idea of blaming the victim. If they were negligent sure, but if they did their best and a hacker still got in that's different. Even a bank with guards can still experience an armed intruder(s) that rob them and run off with the money.

Something else that came to mind is that this will drive Cyber Insurance.

networker050184

I don't think the company that did everything right and still got hacked is the target here. It's the company that promised one thing and didn't take the due diligence to do it.

tpatt100

Yeah if a company is saying one thing and not doing anything that is a betrayal of customer/investor trust and I think should be punishable.

eSenpai

veritas_libertas wrote: »

*Warning I didn't read the article. TL;DR*

Because if you are hacked means you didn't do everything right... Sorry, even if you do your best you may still get compromised. The important question is, how long will it take for you to detect it? I dislike the idea of blaming the victim. If they were negligent sure, but if they did their best and a hacker still got in that's different. Even a bank with guards can still experience an armed intruder(s) that rob them and run off with the money.

Even before this precedent, security should never be about "do everything right because then you can't be breached" since this is a myth that many security companies once sold and people who lack technology fundamentals still believe. Security is about due care, due diligence and now, not lying about said due care and due diligence. If the company says they are doing X, Y & Z but turns out that they are not then they are liable per the FTC. Prior to this, if a company did not take industry vertical due care and due diligence then many states allowed said company to be sued. Really nothing new here other than the FTC sending a message from on high that its time to stop talking/lying about it and actually do it. Let's hope our collective budgets & paychecks see the benefits of that.

veritas_libertas

Agreed. Do your best, don't lie. These are things that should not have to be taught. Unfortunately we are seeing companies be lackadaisical often. What I do fear is that we are going to see heavy handed government involvement soon. Whether that will be beneficial for us as a profession is yet to be seen.

Going back to my initial response, I do think that we still have a perception that if a company is hacked they are automatically to be considered untrustworthy and lazy on the security front. We have no idea what is going on within the organization.

Deathmage

What I find contradictory of all this is the FTC will go after a private sector company for a data breach but the FTC should be going after Gov't infrastructure more too. Gov't infrastructure is so in the stone ages with security it's not even funny.

Case-in-point; I meet my sister whom was interning at the CDC in Atlanta last year for lunch while I was there visiting her and one of her co-workers there was the Senior IT guy, let me put it this way he was making well over 100k a year and I knew more than he did after chatting for 10 minutes....

...hopefully that's just the CDC but if all Gov't organizations are that laid back like "don't talk to me or ask me anything I'm coasting to retirement" mentality then the Gov't infrastructure should be penalized too....

too make matter worst, I read an article the FBI can't hire enough security people not being of the lack of skills but becasue $30k for a CISSP is a joke but that's Gov't for you. They play the whole you'll be patriotic card, Yup sure will be being patriotic pay for the insane taxes?

veritas_libertas

JUST the CDC? LOL...

Based on the last few years I'd say their security practices need work...

Deathmage

veritas_libertas wrote: »

JUST the CDC? LOL... Based on the last few years I'd say their security practices need work...

Gov't as a whole, I was being kind.

veritas_libertas

Deathmage wrote: »

Gov't as a whole, I was being kind.

More a reference to CDC's handling of biological substances. I'm sure the Feds are like any organization, some bureaus/departments/etc are better than others.

I do agree with your earlier comment, it does feel hypocritical.

Verities

Deathmage wrote: »

What I find contradictory of all this is the FTC will go after a private sector company for a data breach but the FTC should be going after Gov't infrastructure more too. Gov't infrastructure is so in the stone ages with security it's not even funny.

Totally agree with you, just look at the OPM hack, it was completely avoidable had they upgraded the systems that were so riddled with vulnerabilities since 2007, they were told by auditors to turn them off.

eSenpai

Aye, but the OPM situation does mirror almost every business segment out there today in that far too many businesses are running systems that need to be moth balled. Almost every shop has a server or application they simply can't (won't) replace.

Verities

eSenpai wrote: »

Aye, but the OPM situation does mirrors almost every business segment out there today in that far too many businesses are running systems that need to be moth balled. Almost every shop has a server or application they simply can't (won't) replace.

Fair enough, the difference with OPM is that the stakes are much higher in that it compromised an insane amount of DoD personnel and their loved ones. The attackers have enough information to build complete dossiers going back 7-10 years. Anyone that works for the DoD, past or present, with placement or access to classified material has a target on their back.

tpatt100

A big problem with the government is that all of the different departments have to fight for their budgets so not all agencies are funded appropriately so there are agencies with various levels of security. I remember seeing a contract request online for bringing all of the different state Medicaid systems into one platform. The contract listed probably a dozen different systems of various eras that I think handled filing Medicaid claims. It looked like a pretty epic challenge to migrate all of these semi current and legacy systems into one current standard.

eSenpai

tpatt100 wrote: »

A big problem with the government is that all of the different departments have to fight for their budgets so not all agencies are funded appropriately so there are agencies with various levels of security. I remember seeing a contract request online for bringing all of the different state Medicaid systems into one platform. The contract listed probably a dozen different systems of various eras that I think handled filing Medicaid claims. It looked like a pretty epic challenge to migrate all of these semi current and legacy systems into one current standard.

True. Budget battles are a pain by themselves. I can't imagine what its like when you add party and reelection politics on top of that. However, we have Target and Home Depot(but especially Target) as good examples of big security budgets with business pushing the security mission aside for income reasons. That's not to say a Target would have happened even if the business hadn't been hyper focused on its busiest season of the year. That is to say that even a fully budgeted security op like Target can be made intentionally vulnerable in pursuit of bottom line gains by management. [To the best of my knowledge it was high level managers who told everyone to ignore the alerts going off so it's not like Target didn't have an opportunity to kill an ongoing intrusion.]

Budgets aside though, OPM, Target and others like it, are really examples of those in power thinking "It can't happen to us." or "It won't happen to us". You can bet that not one congressman who blocked OPM funding over the years ever thought someone would come after the US government and pwn them like that. To wit, I hope that Ashley Madison FINALLY scares the naysayers into understanding that NOBODY is safe and EVERYTHING has value in the wrong hands when you don't take care of your security or make it the redheaded step-child of the organization.

TechGuru80

A lot of fines are because companies either aren't staffing properly or they are lazy and are doing very little in terms of security. A company like Anthem probably is doing a lot in terms of trying to be secure...a company like Wyndham or OPM is only doing a lot of talking.

thomas_

I'm kind of tired of hearing about all of these security breaches and hearing that the only compensation people get for having their PII compromised is free credit report monitoring for 24 months. I think these companies need to be sued and be forced to payout a lot more in money than what it costs for the free credit report monitoring for 24 months.

I do like the idea of the FTC trying to get companies to get companies to take security seriously, but I'm kind of wondering where the money(fines) go?

Are there ever any class action lawsuits against these companies that have huge security breaches?

MTciscoguy

thomas_ wrote: »

Are there ever any class action lawsuits against these companies that have huge security breaches?

I would wonder the same thing about the US Government, which has had a few huge security breaches of its own! Until they can police their own, they should not be policing others.

gespenstern

Didn't read the article, but.

Right now companies have close to zero incentive to fight breaches. Let's talk about Target which is a good example. A ton of things were wrong in this company:
1. No CISO.
2. IT analysts outsourced to India fail to detect things happening.
3. No DLP or DLP not configured, CC data was exfiltrated in plain text and nobody caught anything.
4. No IDS/not configured IDS (there was a rumor that they have FireEye), that didn't catch clear indication of things happening on the network.
5. Outdated Windows XP Embedded for POS devices.
6. No trusted execution configured on POS devices.
7. Malicious service created on ~25 POS multiplied by ~1800 stores at once and nobody caught it.
8. CIO was a long-time employee with business/salesperson background and no IT knowledge whatsoever.

What are their damages? $61 million in lawsuits and other damages. Compare this figure to their yearly net profit which is >2 billions. The most serious impact was because citizens decided not to go to Target and buy stuff there for around 2-3 months and net profits made missed expectations, during 4th fiscal 2013 quarter (ended on 1st of February 2014) their net profits were down 46% compared to previous year. They have fully recovered their profits and share price in spring 2014

Don't forget that they didn't leak their data. They leaked our CC data and who suffered here the most were "guests" (those of us who used debit cards and lost money that crooks stole from debit cards) and banks (who's responsible for money stolen from credit cards). Target leaked nothing of their own.

So what incentive do they have to detect and prevent breaches and how much money they would be willing to spend towards this? Rhetorical question.

eSenpai

gespenstern wrote: »

Didn't read the article, but.

Right now companies have close to zero incentive to fight breaches. Let's talk about Target which is a good example. A ton of things were wrong in this company:
1. No CISO.
2. IT analysts outsourced to India fail to detect things happening.
3. No DLP or DLP not configured, CC data was exfiltrated in plain text and nobody caught anything.
4. No IDS/not configured IDS (there was a rumor that they have FireEye), that didn't catch clear indication of things happening on the network.
5. Outdated Windows XP Embedded for POS devices.
6. No trusted execution configured on POS devices.
7. Malicious service created on ~25 POS multiplied by ~1800 stores at once and nobody caught it.
8. CIO was a long-time employee with business/salesperson background and no IT knowledge whatsoever.

What are their damages? $61 million in lawsuits and other damages. Compare this figure to their yearly net profit which is >2 billions. The most serious impact was because citizens decided not to go to Target and buy stuff there for around 2-3 months and net profits made missed expectations, during 4th fiscal 2013 quarter (ended on 1st of February 2014) their net profits were down 46% compared to previous year. They have fully recovered their profits and share price in spring 2014

Don't forget that they didn't leak their data. They leaked our CC data and who suffered here the most were "guests" (those of us who used debit cards and lost money that crooks stole from debit cards) and banks (who's responsible for money stolen from credit cards). Target leaked nothing of their own.

So what incentive do they have to detect and prevent breaches and how much money they would be willing to spend towards this? Rhetorical question.

Hmmm....this was not my understanding of the investigation at all. According to the Killchain report given to the Senate committee Target actually had a lot of these things in place. Where they miserably failed (3rd party and non-segregated networks not-withstanding is in responding appropriately when their systems(Symantec & FireEye) told them that something was terribly amiss and by not allowing the software to automatically respond to events. As I understood the government report, Target was a human failure rather than a system one even though the Secureworks report reads like it was a systems failure.

Senate report: vs Dell report:

I have a great deal of respect for Secureworks but their reporting can come across highly skewed toward sounding like marketing material more often than not.

As to the CISO thing, sadly they still have not learned their lesson in that the new CISO reports to the CIO. For my money, it is damn hard to tell your boss that he/she is not doing things right and then expect that person to tell the board the same thing. The CIO and CISO roles should be at equal levels to me but alas this paradigm is still debated almost everywhere and is likely to start a religious war even here. From a risk management perspective, the role is simply too important to not have a place among peers.

gespenstern

eSenpai wrote: »

Hmmm....this was not my understanding of the investigation at all. According to the Killchain report given to the Senate committee Target actually had a lot of these things in place.

Not sure what are you arguing with... What things?

eSenpai wrote: »

As to the CISO thing, sadly they still have not learned their lesson in that the new CISO reports to the CIO.

Totally agree. But from purely business standpoint they have little to no incentive to do that, as I already showed. They save much more on outsourcing and cutting costs on IT security than they lose from breaches. And properly designed regulations are supposed to fill the gap and punish financially to provide necessary incentive.

apr911

tpatt100 wrote: »

A big problem with the government is that all of the different departments have to fight for their budgets so not all agencies are funded appropriately so there are agencies with various levels of security. I remember seeing a contract request online for bringing all of the different state Medicaid systems into one platform. The contract listed probably a dozen different systems of various eras that I think handled filing Medicaid claims. It looked like a pretty epic challenge to migrate all of these semi current and legacy systems into one current standard.

A buddy of mine used to do work on a military base and we used to chat about some of the issues of government work in IT. He had 2 big complaints that he frequently cited as an issue in government IT work:

1. Normal bureaucracy and the affect it has on change control/management. He told me a few stories the approval chain was so long that it was 6 months between when a task was requested and when the task was finally executed. To the point that by the time it was executed, no one could really remember what it was they were solving for anyway since some hack-job one-off fix had been long ago implemented to address the immediate need of the issue.

Couple that with the fact that government networks tend to be the "no-downtime" type and you can see how out of wack this can get. If you can only patch your servers every 6 months and the CM process takes 6 months, you will eternally be 6-12 months out of date on patching if not more considering patches often had to be tested/QA'd before deployment to production. This is a somewhat bad example since there were some exclusions for patching of systems (and escalations for particularly bad vulnerabilities or if a fix to a patch slated to go into the next update was released after initial approval) but it is the most functional example since patching is one of the most regular things we do and yet it is still one of the most frequently cited issues for how an attacker got in in the first place.

For such an easy thing to do, it's amazing how often it comes down to "well we patched 999 of 1000 machines but by george, we couldn't take the downtime on the last machine so it wasn't patched..." Through that 1 unpatched machine an attacker gained access to the network and with access to the network they were able to compromise the other 999 servers.

He mentioned it the bureaucracy tended to get even worse when it came time to replace gear, not just because of budgeting but because of the bureaucracy associated with the government procurement/bidding process (not to mention how that process also ends up in a lot of waste as devices were purchased based on bid, not utility/functionality).

2. Security getting in the way of its self. This happened in 2 ways: first, through access to secure areas. He told me that on more than one occasion, he had a issues with a system under his "ownership" that he could not physically access because it was in a "secure" area to which he wasn't cleared to enter. To get access, he either had to wait until the area was no longer "secure" or had to go through a bureaucratic process to get approval to enter the secure area (in addition to his TS-SCI security clearance). He said it was not uncommon for the request to be denied, in which case he'd have to further argue the need, or for the request to be approved long after the area had been cleared and he was able to resolve the problem.

The second way security gets in the way of its self is in the vetting of new technologies, which again can in some ways be traced back to bureaucracy... It currently takes the US Gov't an average of 12-18 months to conduct a background investigation for TS-SCI on a person and while that's somewhat understandable since people are often the weakest link in the security chain, vetting devices often took a similar amount of time. Technology moves too fast for that cycle of vetting. You can plan to deploy a state of the art firewall today and by the time the device, its code, etc has been vetted, the device, the software and/or the firmware were obsolete.