Breaches are starting to be viewed as inevitable, and thus there is less onus upon the victim corp to have minimized its possibility.
Should it turn out that negligence is deemed the primary reason for the breach, then we might see more impact on Target. *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market…* On Fri, Dec 27, 2013 at 8:49 AM, Maglinger, Paul <[email protected]>wrote: > Au contraire mon frère! Publically owned retail companies care a great > deal about company image. Although they usually overestimate the damage > the publicity causes I must admit surprise that Target stock hasn’t gone > down more than it has. > > > > -Paul > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *John Cook > *Sent:* Thursday, December 26, 2013 8:10 AM > > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: 40 Million CC breach at Target.... > > > > And therein lies the rub – business aren’t going to pay for the extra > effort to prevent the what if regardless of the potential cost because most > if not all of them carry liability insurance to cover the raw costs of such > breeches. There is little thought put into the damage to the company image > because that’s not quantifiable. > > > > *John W. Cook* > > *Network Operations Manager* > > *Partnership For Strong Families* > > *5950 NW 1st Place* > > *Gainesville, Fl 32607* > > *Office (352) 244-1610 <%28352%29%20244-1610>* > > *Cell (352) 215-6944 <%28352%29%20215-6944>* > > *MCSE, MCP+I, MCTS,* > > *CompTIA A+, N+, Security+* > > *VSP4, VTSP4* > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Ziots, Edward > > *Sent:* Tuesday, December 24, 2013 10:34 AM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: 40 Million CC breach at Target.... > > > > Espi, > > > > Ken is correct, Security management is all about risk. So when you are > held against compliance standard (X,Y,Z) businesses are going to do exactly > what the compliance mandates, nothing more nothing less, because its meets > its requirements from a compliance prespective, and that is the cost they > are willing to spend to reduce the risk. Anything more to the business is > above and beyond what is required, and from a business prespective is not > seen as contributing to the bottom line and very well might be financially > infeasible to do given budgets, and time and constraints. (You have to > factor in the cost of human capital (people to build, design and deploy > said solutions, on top of the others to monitor and report on its > effectiveness in reducing the aforementioned risk) > > > > I am not saying that compliance=security that is a moot point, because it > isn’t or near remotely close, but it’s the measure that business are using > to secure their systems against attack. I am not saying this is a good way > to do things, but it’s the way stuff is getting done. > > > > Z > > > > Edward E. Ziots, CISSP, CISA, Security +, Network + > > Security Engineer > > Lifespan Organization > > [email protected] > > Work:401-255-2497 > > > > > > This electronic message and any attachments may be privileged and > confidential and protected from disclosure. If you are reading this > message, but are not the intended recipient, nor an employee or agent > responsible for delivering this message to the intended recipient, you are > hereby notified that you are strictly prohibited from copying, printing, > forwarding or otherwise disseminating this communication. If you have > received this communication in error, please immediately notify the sender > by replying to the message. Then, delete the message from your computer. > Thank you. > > *[image: Description: Description: Lifespan]* > > > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Ken Schaefer > > *Sent:* Tuesday, December 24, 2013 3:40 AM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: 40 Million CC breach at Target.... > > > > All credit cards have magnetic strips for backwards compatibility reasons > (all of my CCs have chips – I have a dozen issued across three countries, > and they all have both), but don’t chips merely prevent cloning? It doesn’t > stop someone using them at a “card not present” sale (e.g. an online store). > > > > Is it going to be adequate security; or is it going to be financially > feasible security? > > > > All security is risk management. You can avoid, accept, transfer or > mitigate a risk – and which you choose comes down to a set of factors, > including cost. > > > > What’s the difference between “adequate security” and “financially > feasible security”? I’ve never heard this distinction between drawn before. > > > > Cheers > > Ken > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Micheal Espinola Jr > *Sent:* Tuesday, 24 December 2013 2:42 PM > > *To:* [email protected] > *Subject:* Re: [NTSysADM] RE: 40 Million CC breach at Target.... > > > > Re-read the information about the Target breach, and reconsider what I > have said. This would not effect people outside of the US that do not use > credit cards with magnetic strips. > > Its not just a matter of reading the strip directly, but as well as the > technology involved in how that information is further processed. > > Ken, please pick a point are you going to choose to argue against/for: Is > it going to be adequate security; or is it going to be financially feasible > security? > > > -- > Espi > > > > > > On Mon, Dec 23, 2013 at 7:27 PM, Ken Schaefer <[email protected]> wrote: > > How do you know “they should not have happened”? Perfect security is, > pretty much, impossible. So, statistically, there will always be some level > of breaches occurring, including some level of severe breaches. How do you > know we aren’t at a level that makes monetary sense? Would you be prepared > to, say, halve your income (because prices are double), simply to have 5% > or 10% fewer security breaches? > > > > I don’t see how any recent serious breach is related to the use of > magnetic stripe media or re-use of stolen phones, so I don’t really > understand what you’re saying there. > > > > Cheers > > ken > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Micheal Espinola Jr > *Sent:* Tuesday, 24 December 2013 2:20 PM > *To:* [email protected] > > > *Subject:* Re: [NTSysADM] RE: 40 Million CC breach at Target.... > > > > I can only assume they dont, since historically (generally speaking) there > have had serious breaches that should not have happened. I've been > involved with POS systems, banking systems, as well as various wifi-devices > - and for years, there's been a lot of foolishness. Business rarely does > what it should - and instead only does what it has to, or can financially > bet against. > > - Banking: We (the US) still allow a system that relies heavily on > magnetic strip media. > - Telco: We (the US) still allow a system were cell phones can be > stolen and reused. > > > -- > Espi > > > > > > On Mon, Dec 23, 2013 at 6:31 PM, Ken Schaefer <[email protected]> wrote: > > Your rant presupposes that there isn’t “decent security” already in > place. What evidence do you have that there isn’t? > > > > Cheers > > Ken > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *J- P > *Sent:* Tuesday, 24 December 2013 12:43 PM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: 40 Million CC breach at Target.... > > > > /rant on > > I have one question that rings in the back of my mind, they (banks > creditors merchants etc..) charge all sorts of fee's, > sometimes i'have heard of fees larger than a bill thats due- > Why cant they take a piece of that to get some decent security into place? > > /rant off > > Happy holidays and a prosperous new year to all > > > > > > > > > > > Jean-Paul Natola > > ------------------------------ > > From: [email protected] > > > Date: Mon, 23 Dec 2013 08:10:19 -0500 > > Subject: Re: [NTSysADM] RE: 40 Million CC breach at Target.... > > To: [email protected] > > *>>**That's a pretty fair analogy - and both statements are true. On the* > > > > > > > *other hand, banking is much better understood - experience with banking > goes back hundreds of years, with concomitant expertise in many fields in > dealing with the risks in banking. The experience around computing is much > more shallow, and the risks are not as well known, nor has nearly as much > thought and practice gone into mitigating them.* > > > > > Okay, so how about when banking relies upon computing? Which risk profile > comes into play, then -- the hundreds of years, or the shallow > years/decades? > > Whether or not YOU use online banking, it is almost assured that your bank > provides it and that others are aware of its existence. Do you think that > your bank is providing such a service without any reliance upon 3rd > parties? Do you think that because you aren't using the online services > from your bank that your data would be unimpacted? > > (Hint: I'm sure that some of the people impacted in the Target breach, as > in the TJX breach before it, were *not* online users) > > > > > *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> > *Providing Virtual CIO Services (IT Operations & Information Security) for > the SMB market…* > > > > > > > > On Sun, Dec 22, 2013 at 10:31 PM, Kurt Buff <[email protected]> wrote: > > On Sun, Dec 22, 2013 at 6:59 PM, Andrew S. Baker <[email protected]> > wrote: > >>>Amazon's cloud is external to its customers - Amazon's staff, > > procedures and infrastructure are a risk to its customers. > > > > > That's as illogical a statement as the following: > > > XYZ Bank's technology infrastructure is external to its customers - XYZ > > Bank's staff, procedures and infrastructure are a risk to its > customers... > > That's a pretty fair analogy - and both statements are true. On the > other hand, banking is much better understood - experience with > banking goes back hundreds of years, with concomitant expertise in > many fields in dealing with the risks in banking. The experience > around computing is much more shallow, and the risks are not as well > known, nor has nearly as much thought and practice gone into > mitigating them. > > > >>>Except when suborned or perverted by money, patriotism or blackmail: > > > http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220 > > > > > And how does you maintaining your infrastructure on-premises, but having > to > > rely on 3rd party telecommunications mitigate the above risk in any way? > > It's not just that specific incident - that's but one example, and in > this specific instance, there was no remedy - trusted parties were > subverted, and the same can happen in other fields. I'm not arguing > for perfection here - just a recognition that complexity brings risk, > and that keeping things simple and under more control is usually wise. > > Indeed, for some businesses, especially small ones with no IT staff, > or very limited IT staff, going with a public cloud might make sense. > But if a business has good IT staff, I'd venture that migrating most > or all of their infrastructure to a public cloud isn't their best bet. > > Kurt > > > > > > > > > ------------------------------ > > > CONFIDENTIALITY STATEMENT: The information transmitted, or contained or > attached to or with this Notice is intended only for the person or entity > to which it is addressed and may contain Protected Health Information > (PHI), confidential and/or privileged material. Any review, transmission, > dissemination, or other use of, and taking any action in reliance upon this > information by persons or entities other than the intended recipient > without the express written consent of the sender are prohibited. This > information may be protected by the Health Insurance Portability and > Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. > Improper or unauthorized use or disclosure of this information could result > in civil and/or criminal penalties. > Consider the environment. Please don't print this e-mail unless you really > need to. >
<<image001.jpg>>
