SoylentNews is people
SoylentNews
Robert X. Cringely points out the hidden costs of running corporate IT over the public internet:
How cheap is IT, really, if it compromises customer data? Not cheap at all. Last year’s Target hack alone cost the company more than $1 billion, estimated Forrester Research. The comparably-sized Home Depot hack will probably cost about the same. JP Morgan Chase is likely to face even higher costs.
He wonders why companies aren't shifting to dedicated networks, like they used to make with leased lines.
Taking a bank or retail network back to circa 1989 would go a long way toward ending the current rash of data breaches. It would be expensive, sure, but not as expensive as losing all the money that Target and others have recently done.
Is this practical? If so, how would it be accomplished with modern equipment?
(Score: 3, Interesting) by Thexalon on Friday October 10 2014, @01:14PM
Yes, but rarely is the question asked, "Is our developers learning?"
The challenge is that most of the big data breaches recently have been companies that were in fact following correct procedures. What I recommend for my clients when dealing with sensitive data is to as much as possible make it Somebody Else's Problem e.g. use the payment processor's hosted tools so that your boxes never see the CC data. But I know that's not solving the problem, it's just making it so that my clients aren't liable if there is a problem.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by kaszz on Friday October 10 2014, @02:06PM
One could also ask "Does management allow our developers to learn?" or maybe they just outsourced it..
Then comes "Is there resources (time) available to do something about our knowledge?"..
Considering Murphy's law. It might actually be an efficient strategy. Provided the API isn't a royal pain.
(Score: 0) by Anonymous Coward on Friday October 10 2014, @02:57PM
It does more than that: Given that your payment processor needs to get the CC data anyway, keeping it only with the payment processor means a smaller attack surface.
(Score: 0) by Anonymous Coward on Friday October 10 2014, @03:58PM
Indeed. And for a good, grammatical reason.
(Score: 2) by DeathMonkey on Friday October 10 2014, @06:41PM
The challenge is that most of the big data breaches recently have been companies that were in fact following correct procedures.
That doesn't sound like the case for Home Depot, at a minimum:
Former information technology employees at Home Depot claim that the retailer’s management had been warned for years that its retail systems were vulnerable to attack, according to a report by The New York Times. Resistance to advice on fixing systems reportedly led several members of Home Depot’s computer security team to quit, and one who remained warned friends to use cash when shopping at the retailer’s stores.
reference [arstechnica.com]
(Score: 2) by Hairyfeet on Saturday October 11 2014, @06:50AM
Devs ain't got shit to do with it, good security costs good MONEY and the MBAs won't spend the bucks. This is one of the reasons I got out of corp IT, they would have a security nightmare that could be fixed by spending X to set up Y but would they spend X? Fuck no, in fact they would often cut IT to the bone so they could say "I saved the company X amount of dollars!" and get a sweeter job at another place while the system fell apart behind them.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.