Comments on: Heartland CEO and Outrage http://newschoolsecurity.com/2009/08/heartland-ceo-and-outrage/ The Blog Inspired By The Book Tue, 07 Feb 2012 02:09:16 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: LonerVamp http://newschoolsecurity.com/2009/08/heartland-ceo-and-outrage/#comment-263 LonerVamp Wed, 19 Aug 2009 14:45:06 +0000 http://newschoolsecurity.com/?p=401#comment-263 It's more a failure of our culture of blame and avoidance of blame (or litigation) that we don't share information. Trying not to get on either side of the discussion of Carr for the moment, I feel that we can say we're still sweeping this under the rug not just because we're not sharing info properly, but also because we have a lot of people in security who won't truly have the chops to be advising about security. If you get a lot of non-experts together trying to act as experts, you'll have tons of holes (and this thing we call compliance and hope that it equals security). (Then again, maybe that second thing is an offshoot of companies cheaping out on security....) It’s more a failure of our culture of blame and avoidance of blame (or litigation) that we don’t share information.

Trying not to get on either side of the discussion of Carr for the moment, I feel that we can say we’re still sweeping this under the rug not just because we’re not sharing info properly, but also because we have a lot of people in security who won’t truly have the chops to be advising about security.

If you get a lot of non-experts together trying to act as experts, you’ll have tons of holes (and this thing we call compliance and hope that it equals security).

(Then again, maybe that second thing is an offshoot of companies cheaping out on security….)

]]> By: Michael Janke http://newschoolsecurity.com/2009/08/heartland-ceo-and-outrage/#comment-251 Michael Janke Fri, 14 Aug 2009 00:40:35 +0000 http://newschoolsecurity.com/?p=401#comment-251 I took Carr's comment on the 300 breaches as an indictment of the security profession/industry as a whole - that a particular vector was common, but neither they nor their QSA's knew it existed. The bottom line is that when someone gets breached, the don't publish the details of the breach and the rest of us don't get the benefit of learning from others misfortune. That's a failure of the profession, not a failure of PCI, QSA's or Heartland. The people who build failed bridges don't sweep their failures under the rug. They publish papers on the failure & the world learns how to build better bridges. BTW - did Heartland ever publish a paper on how they got hacked? I'd like to learn from their failure. It'd be a heck of a lot better that waiting until it happens to me. --Mike I took Carr’s comment on the 300 breaches as an indictment of the security profession/industry as a whole – that a particular vector was common, but neither they nor their QSA’s knew it existed.

The bottom line is that when someone gets breached, the don’t publish the details of the breach and the rest of us don’t get the benefit of learning from others misfortune. That’s a failure of the profession, not a failure of PCI, QSA’s or Heartland.

The people who build failed bridges don’t sweep their failures under the rug. They publish papers on the failure & the world learns how to build better bridges.

BTW – did Heartland ever publish a paper on how they got hacked? I’d like to learn from their failure. It’d be a heck of a lot better that waiting until it happens to me.

–Mike

]]>