As I read about the HOME DEPOT breach, follow the commentaries on the TARGET breach and other breaches, it’s clear to me that we need to have a more mature conversation about breaches.
We don’t blame the home owner when a burglary occurs.

We don’t blame patients for getting infected with AIDS, Ebola or becoming afflicted with Cancer, ALS, heart disease.

Even when the cause may be user behavior (smoking, excessive drinking, etc), we have sympathy for the patients.

So, why are we blaming companies, hospitals and other victims of cyber crimes?

 

Yes, Target, Home Depot, Blue Cross Blue Shield of Tennessee and others could have done better job of protecting their networks.  But you know what, no one’s perfect.

 

And I assert that the victims were NOT solely responsible for the failures.

 

IMHO software vendors shoulder at least 50% of the blame.

1) We are working with a client subject to PCI-DSS and their POS vendor requires DISABLING UAC and giving users ADMINISTRATOR privileges.

2) We’re working with construction firms, and a very well known package requires giving all users full administrative rights on the application install and database directories.

3) A leading manufacturer of label printers requires that users have LOCAL ADMINSTRATOR rights just to print labels.

(I have purposefully omitted names of vendors, because they are representative of the norm.  Ignoring the SANS20 Controlled Use Of Administrative Privileges seems to be a job-requirement for commercial developers).

I agree with Dan Geer and other luminaries:

A) We need a CDC or a NTSB for the internet.  We need a dispassionate, independent federal investigator that is authorized and empowered to investigate breaches, determine root causes and make recommendations to fix the infrastructure.  The NTSB has saved millions of lives by investigating each airplane crash, determining flaws or breakdowns in the process and improving manufacturing, maintenance and flight operations.

 

B) We need a LEMON LAW for software.  Software vendors need to be held liable for shipping shoddy, insecure products.

 

Finally, I think Microsoft should step up and hold ADOBE and ORACLE accountable for the flaws in Adobe Flash, Adobe Reader and Java.  Wouldn’t it be great if Satya Nadella had a Steve Jobs moment and he banned Flash & Java from Windows?

What are your thoughts?  Let me know.