{"id":6351,"date":"2017-09-17T11:30:48","date_gmt":"2017-09-17T16:30:48","guid":{"rendered":"https:\/\/rud.is\/b\/?p=6351"},"modified":"2018-03-07T17:04:12","modified_gmt":"2018-03-07T22:04:12","slug":"armchair-quarterbacking-systemic-organization-and-industry-failures","status":"publish","type":"post","link":"https:\/\/rud.is\/b\/2017\/09\/17\/armchair-quarterbacking-systemic-organization-and-industry-failures\/","title":{"rendered":"Armchair Quarterbacking Systemic Organization and Industry Failures"},"content":{"rendered":"<pre>\ninsert(post, \"{ 'standard_disclaimer' : 'My opinion, not my employer\\'s' }\")\n<\/pre>\n<p>This is a post about the fictional company FredCo. If the context or details presented by the post seem familiar, it&#8217;s purely coincidental. This is, again, a fictional story.<\/p>\n<p>Let&#8217;s say FredCo had a pretty big breach that (fictionally) garnered media, Twitterverse, tech-world and Government-level attention and that we have some spurious details that let us sit back in our armchairs to opine about. What might have helped create the debacle at FredCo?<\/p>\n<p>Despite (fictional) endless mainstream media coverage and a good chunk of &#8216;on background&#8217; infosec-media clandestine blatherings we know very little about the breach itself (though it&#8217;s been fictionally, officially blamed on failure to patch Apache Struts). We know even less (fictionally officially) about the internal reach of the breach (apart from the limited consumer impact official disclosures). We know <em>even less than that<\/em> (fictionally officially) about how FredCo operates internally (process-wise).<\/p>\n<p>But, I&#8217;ve (fictionally) seen:<\/p>\n<ul>\n<li>a detailed breakdown of the number of domains, subdomains, and hosts FredCo &#8220;manages&#8221;.<\/li>\n<li>the open port\/service configurations of the public components of those domains<\/li>\n<li>public information from individuals who are more willing to (fictionally) violate the CFAA than I am to get more than just port configuration information <\/li>\n<li>a 2012\/3 SAS 1 Type II report about FredCo controls<\/li>\n<li>testimonies from FredCo execs regarding efficacy of $SECURITY_TECHOLOGY and 3 videos purporting to be indicative of expert opine on how to use BIIGG DATERZ to achieve cybersecurity success<\/li>\n<li>the board &amp; management structure + senior management bonus structures, complete with incentive-based objectives they were graded on<\/li>\n<\/ul>\n<p>so, I&#8217;m going to blather a bit about how <strong>this fictional event should finally tear down the Potemkin village that is the combination of the Regulatory+Audit Industrial Complex and the Cybersecurity Industrial Complex<\/strong>.<\/p>\n<p>&#8220;Tear down&#8221; with respect to the goal being to help individuals understand that a significant portion of organizations you entrust with your data are not incentivized or equipped to protect your data and that these same conditions exist in more critical areas &#8212; such as transportation, health care, and critical infrastructure &#8212; and you should expect a failure on the scale of FredCo &#8212; only with real, harmful impact &#8212; if nothing ends up changing soon.<\/p>\n<h3>From the top<\/h3>\n<p>There is boilerplate mention of &#8220;security&#8221; in the objectives of the senior executives between 2015 &amp; 2016 14A filings:<\/p>\n<ul>\n<li><em>CEO<\/em>: &#8220;Employing advanced analytics and technology to help drive client growth, security, efficiency and profitability.&#8221;<\/li>\n<li><em>CFO<\/em>: &#8220;Continuing to advance and execute global enterprise risk management processes, including directing increased investment in data security, disaster recovery and regulatory compliance capabilities.&#8221;<\/li>\n<li><em>CLO<\/em>: &#8220;Continuing to refine and build out the Company\u2019s global security organization.&#8221;<\/li>\n<li><em>President, Workforce Solutions<\/em>: <strong>None<\/strong><\/li>\n<li><em>CHRO<\/em>: <strong>None<\/strong><\/li>\n<li><em>President \u2013 US Information Services<\/em>: <strong>None<\/strong><\/li>\n<\/ul>\n<p>You&#8217;ll be happy to know that they all received either &#8220;Distinguished&#8221; or &#8220;Exceeds&#8221; on their appraisals and received a multiplier of their bonus &amp; compensation targets as a result.<\/p>\n<p>Furthermore, there is no one in the make-up of FredCo&#8217;s board of directors who has shown an interest or specialization in cybersecurity.<\/p>\n<p>From the camera-positioned 50-yard line on instant replay, the board and shareholders of FredCo did not think protection of your identity and extremely personal information was important enough to include on three top executive directives and performance measure and was given little more than boilerplate mention for others. Investigators who look into FredCo&#8217;s breach should dig deep into the last decade of the detailed measures for these objectives. I have first-hand experience how these types of HR processes are managed in large orgs, which is why I&#8217;m encouraging this area for investigation.<\/p>\n<p>&#8220;Security&#8221; is a terrible term, but it only works when it is an emergent property of the business processes of an organization. That means it must be contextual for every worker. Some colleagues suggest individual workers should not have to care about cybersecurity when making decisions or doing work, but even minimum-wage retail and grocery store clerks are educated about shoplifting risks and are given tools, tips and techniques to prevent loss. When your HR organizations is not incentivized to help create and maintain a cybersecurity-aware culture <em>from the top<\/em> you&#8217;re going to have problems, and when there are no cyberscurity-oriented targets for the CIO or even business process owners, don&#8217;t expect your holey screen door to keep out predators.<\/p>\n<h3>Awwwdit, Part I<\/h3>\n<p>NOTE: I&#8217;m not calling out any particular audit organization as I&#8217;ve only seen one fictional official report.<\/p>\n<p>The Regulatory+Audit Industrial Complex is a lucrative business cabal. Governments and large business meta-agencies create structures where processes can be measured, verified and given a big green \u2705. This validation exercise is generally done in one or more ways:<\/p>\n<ul>\n<li>simple questionnaire, very high level questions, no veracity validation<\/li>\n<li>more detailed questionnaire, mid-level questions, usually some in-person lightweight checking<\/li>\n<li>detailed questionnaire, but with topics that can be sliced-and-diced by the legal+technical professions to mean literally anything, measured in-person by (usually) extremely junior reviewers with little-to-no domain expertise who follow review playbooks, get overwhelmed with log entries and scope-refinement+reduction and who end up being steered towards &#8220;important&#8221; but non-material findings<\/li>\n<\/ul>\n<p>Sure, there are good audits and good auditors, but I will posit they are the rare diamonds in a bucket of zirconia.<\/p>\n<p>We need to cover some technical ground before covering this further, though.<\/p>\n<h3>Shocking Struts<\/h3>\n<p>We&#8217;ll take the stated breach cause at face-value: failure to patch an remote-accessible vulnerability with Apache Struts. This was presented as the singular issue enabling attackers to walk (with crutches) away with scads of identify-theft-enabling personal data, administrator passwords, database passwords, and the recipe for the winning entry in the macaroni salad competition at last year&#8217;s HR annual picnic. Who knew one Java library had <em>so much power<\/em>!<\/p>\n<p>We don&#8217;t know the architecture of all the web apps at FredCo. However, your security posture should not be a Jenga game tower, easily destroyed by removing one peg. These are all (generally) components of externally-facing applications at the scale of FredCo:<\/p>\n<ul>\n<li>routers<\/li>\n<li>switches<\/li>\n<li>firewalls<\/li>\n<li>load balancers<\/li>\n<li>operating systems<\/li>\n<li>application servers<\/li>\n<li>middleware servers<\/li>\n<li>database servers<\/li>\n<li>customized code<\/li>\n<\/ul>\n<p>These are mimicked (to varying levels of efficacy) across:<\/p>\n<ul>\n<li>development<\/li>\n<li>test<\/li>\n<li>staging<\/li>\n<li>production<\/li>\n<\/ul>\n<p>environments.<\/p>\n<p>They may coexist (in various layers of the network) with:<\/p>\n<ul>\n<li>HR systems<\/li>\n<li>Finance systems<\/li>\n<li>Intranet servers<\/li>\n<li>Active Directory<\/li>\n<li>General user workstations<\/li>\n<li>Executive workstations<\/li>\n<li>Developer workstations<\/li>\n<li>Mobile devices<\/li>\n<li>Remote access infrastructure (i.e. VPNs)<\/li>\n<\/ul>\n<p>A properly incentivized organization ensures there are logical and physical separation between\/isolation of  &#8220;stuff that matters&#8221; and that varying levels of authentication &amp; authorization are applied to ensure access is restricted.<\/p>\n<p>Keeping all that &#8220;secure&#8221; requires:<\/p>\n<ul>\n<li>managing thousands of devices (servers, network components, laptops, desktops, mobile devices)<\/li>\n<li>managing thousands of identities<\/li>\n<li>managing thousands of configurations across systems, networks and devices<\/li>\n<li>managing hundreds to thousands of connections between internal and external networks<\/li>\n<li>managing thousands of rules<\/li>\n<li>managing thousands of vulnerabilities (as they become known)<\/li>\n<li>managing a secure development life cycle across hundreds or thousands of applications<\/li>\n<\/ul>\n<p>Remember, though, that FredCo ostensibly managed <em>all of that well<\/em> and the data loss was solely due to <em>one Java library<\/em>.<\/p>\n<p>If your executives (all of them) and workers (all of them) are not incentivized with that list in mind, you will have problems, but let&#8217;s talk about the security challenges back in the context of the audit role.<\/p>\n<h3>Awwwdit, Part II<\/h3>\n<p>The post is already long, so we&#8217;ll make this quick.<\/p>\n<p>If I dropped you off &#8212; yes, <em>you<\/em>, because you&#8217;re likely as capable as the auditors mentioned in the previous section on audit &#8212; into that environment <em>once a year<\/em>, do you think you&#8217;d be able to ferret out issues based on convoluted network diagrams, poorly documented firewall rules and source code, non-standard checklists of user access management processes?<\/p>\n<p>Let&#8217;s say I dropped you in months before the known Struts vulnerability and re-answer the question.<\/p>\n<p>The burden placed on internal and &#8212; especially &#8212; external auditors is great and they are pretty much set up for failure from engagement number one.<\/p>\n<p>Couple IT complexity with the fact that many orgs like FredCo aren&#8217;t required to do more than ensure financial reporting processes are ?.<\/p>\n<p>But, even if there were more technical, security-oriented audits performed, you&#8217;d likely have ten different report findings by as many firms or auditors, especially if they were point-in-time audits. Furthermore, FredCo has has decades of point-in-time audits but hundreds of auditors and dozens of firms. The conditions of the breach were likely not net-new, so how did decades of systemic IT failures go unnoticed by this cabal?<\/p>\n<p>IT audit functions are a multi-billion dollar business. FredCo is partially the result of the built-in cracks in the way verification is performed in orgs. In other words, I posit the Regulatory+Audit Industrial Complex bears some of the responsibility for FredCo&#8217;s breach.<\/p>\n<h3>Divisive Devices<\/h3>\n<p>From the (now removed) testimonials &amp; videos, it was clear there may have been a &#8220;blinky light&#8221; problem in the mindset of those responsible for cybersecurity at FredCo. Relying solely on the capabilities of one or more devices (they are usually appliances with blinky lights) and thinking that storing petabytes of log data are going to stop &#8220;bad guys&#8217; is a great recipe for a breach parfait.<\/p>\n<p>But, the Cybersecurity Industrial Complex continues to dole out LED-laden boxes with the fervor of a U.S. doctor handing out opioids. Sure, they are just giving orgs what they want, but it doesn&#8217;t make it responsible behaviour. Just like the opioid problem, the &#8220;device&#8221; issue is likely causing cyber-sickness in more organizations that you&#8217;d like to admit. You may even know someone who works at an org with a box-addition.<\/p>\n<p>I posit the Cybersecurity Industrial Complex bears some of the responsibility for FredCo&#8217;s breach, especially when you consider the hundreds of marketing e-mails I&#8217;ve seen post-FredCo breach telling me how CyberBox XJ9-11 would have stopped FredCo&#8217;s attackers <em>cold<\/em>.<\/p>\n<h3>A Matter of Trust<\/h3>\n<p>If removing a Struts peg from FredCo&#8217;s IT Jenga board caused the fictional tower to crash:<\/p>\n<ul>\n<li>What do you think the B2B infrastructure looks like? <\/li>\n<li>How do you think endpoints are managed?<\/li>\n<li>What isolation, segmentation and access controls really exist?<\/li>\n<li>How effective do you think their security awareness program is?<\/li>\n<li>How many apps are architected &amp; managed as poorly as the breached one?<\/li>\n<li>How many shadow IT deployments exist in the \u2601\ufe0f with <em>your<\/em> data in it?<\/li>\n<li>How can you trust FredCo with anything of importance?<\/li>\n<\/ul>\n<h3>Fictional FIN<\/h3>\n<p>In this fictional world I&#8217;ve created one ending is:<\/p>\n<ul>\n<li>all B2B connections to FredCo have been severed<\/li>\n<li>lawyers at a thousand firms are working on language for filings to cancel all B2B contracts with FredCo<\/li>\n<li>FredCo was de-listed from exchanges<\/li>\n<li>FredCo executives are defending against a slew of criminal and civil charges<\/li>\n<li>The U.S. Congress and U.K. Parliament have come together to undertake a joint review of regulatory and audit practices spanning both countries (since it impacted both countries and the Reg+Audit cabal spans both countries they decided to save time and money) resulting in sweeping changes<\/li>\n<li>The SEC has mandated detailed cybersecurity objectives be placed on all senior management executives at all public companies and have forced results of those objectives assessments to be part of a new filing requirement.<\/li>\n<li>The SEC has also mandated that at least one voting board member of public companies must have demonstrated experience with cybersecurity<\/li>\n<li>The FTC creates and enforces standards on cybersecurity product advertising practices<\/li>\n<li><strong>You<\/strong> have understood that <strong>nobody has your back<\/strong> when it comes to managing your sensitive, personal data and that you <strong>must<\/strong> become an active participant in helping to ensure your elected representatives hold all organizations accountable when it comes to taking their responsibilities seriously.<\/li>\n<\/ul>\n<p>but, another is:<\/p>\n<ul>\n<li>FredCo&#8217;s stock bounces back<\/li>\n<li>FredCo loses no business partners<\/li>\n<li>FredCo&#8217;s current &amp; former execs faced no civil or criminal charges<\/li>\n<li>Congress makes a bit of opportunistic, temporary bluster for the sake of 2018 elections but doesn&#8217;t do anything more than berate FredCo publicly<\/li>\n<li>You&#8217;re so tired of all these breaches and data loss that you go back to playing &#8220;Clash of Clans&#8221; on your mobile phone and do nothing.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>insert(post, &#8220;{ &#8216;standard_disclaimer&#8217; : &#8216;My opinion, not my employer\\&#8217;s&#8217; }&#8221;) This is a post about the fictional company FredCo. If the context or details presented by the post seem familiar, it&#8217;s purely coincidental. This is, again, a fictional story. Let&#8217;s say FredCo had a pretty big breach that (fictionally) garnered media, Twitterverse, tech-world and Government-level [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[681,3],"tags":[810],"class_list":["post-6351","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-information-security","tag-post"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Armchair Quarterbacking Systemic Organization and Industry Failures - rud.is<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/rud.is\/b\/2017\/09\/17\/armchair-quarterbacking-systemic-organization-and-industry-failures\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Armchair Quarterbacking Systemic Organization and Industry Failures - rud.is\" \/>\n<meta property=\"og:description\" content=\"insert(post, &quot;{ &#039;standard_disclaimer&#039; : &#039;My opinion, not my employer&#039;s&#039; }&quot;) This is a post about the fictional company FredCo. If the context or details presented by the post seem familiar, it&#8217;s purely coincidental. This is, again, a fictional story. Let&#8217;s say FredCo had a pretty big breach that (fictionally) garnered media, Twitterverse, tech-world and Government-level [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/rud.is\/b\/2017\/09\/17\/armchair-quarterbacking-systemic-organization-and-industry-failures\/\" \/>\n<meta property=\"og:site_name\" content=\"rud.is\" \/>\n<meta property=\"article:published_time\" content=\"2017-09-17T16:30:48+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-03-07T22:04:12+00:00\" \/>\n<meta name=\"author\" content=\"hrbrmstr\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hrbrmstr\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/09\\\/17\\\/armchair-quarterbacking-systemic-organization-and-industry-failures\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/09\\\/17\\\/armchair-quarterbacking-systemic-organization-and-industry-failures\\\/\"},\"author\":{\"name\":\"hrbrmstr\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"headline\":\"Armchair Quarterbacking Systemic Organization and Industry Failures\",\"datePublished\":\"2017-09-17T16:30:48+00:00\",\"dateModified\":\"2018-03-07T22:04:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/09\\\/17\\\/armchair-quarterbacking-systemic-organization-and-industry-failures\\\/\"},\"wordCount\":2041,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"keywords\":[\"post\"],\"articleSection\":[\"Cybersecurity\",\"Information Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/09\\\/17\\\/armchair-quarterbacking-systemic-organization-and-industry-failures\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/09\\\/17\\\/armchair-quarterbacking-systemic-organization-and-industry-failures\\\/\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/09\\\/17\\\/armchair-quarterbacking-systemic-organization-and-industry-failures\\\/\",\"name\":\"Armchair Quarterbacking Systemic Organization and Industry Failures - rud.is\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\"},\"datePublished\":\"2017-09-17T16:30:48+00:00\",\"dateModified\":\"2018-03-07T22:04:12+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/09\\\/17\\\/armchair-quarterbacking-systemic-organization-and-industry-failures\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/09\\\/17\\\/armchair-quarterbacking-systemic-organization-and-industry-failures\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/09\\\/17\\\/armchair-quarterbacking-systemic-organization-and-industry-failures\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/rud.is\\\/b\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Armchair Quarterbacking Systemic Organization and Industry Failures\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/\",\"name\":\"rud.is\",\"description\":\"&quot;In God we trust. All others must bring data&quot;\",\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/rud.is\\\/b\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\",\"name\":\"hrbrmstr\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"width\":460,\"height\":460,\"caption\":\"hrbrmstr\"},\"logo\":{\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\"},\"description\":\"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7\",\"sameAs\":[\"http:\\\/\\\/rud.is\"],\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/author\\\/hrbrmstr\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Armchair Quarterbacking Systemic Organization and Industry Failures - rud.is","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/rud.is\/b\/2017\/09\/17\/armchair-quarterbacking-systemic-organization-and-industry-failures\/","og_locale":"en_US","og_type":"article","og_title":"Armchair Quarterbacking Systemic Organization and Industry Failures - rud.is","og_description":"insert(post, \"{ 'standard_disclaimer' : 'My opinion, not my employer's' }\") This is a post about the fictional company FredCo. If the context or details presented by the post seem familiar, it&#8217;s purely coincidental. This is, again, a fictional story. Let&#8217;s say FredCo had a pretty big breach that (fictionally) garnered media, Twitterverse, tech-world and Government-level [&hellip;]","og_url":"https:\/\/rud.is\/b\/2017\/09\/17\/armchair-quarterbacking-systemic-organization-and-industry-failures\/","og_site_name":"rud.is","article_published_time":"2017-09-17T16:30:48+00:00","article_modified_time":"2018-03-07T22:04:12+00:00","author":"hrbrmstr","twitter_card":"summary_large_image","twitter_misc":{"Written by":"hrbrmstr","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/rud.is\/b\/2017\/09\/17\/armchair-quarterbacking-systemic-organization-and-industry-failures\/#article","isPartOf":{"@id":"https:\/\/rud.is\/b\/2017\/09\/17\/armchair-quarterbacking-systemic-organization-and-industry-failures\/"},"author":{"name":"hrbrmstr","@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"headline":"Armchair Quarterbacking Systemic Organization and Industry Failures","datePublished":"2017-09-17T16:30:48+00:00","dateModified":"2018-03-07T22:04:12+00:00","mainEntityOfPage":{"@id":"https:\/\/rud.is\/b\/2017\/09\/17\/armchair-quarterbacking-systemic-organization-and-industry-failures\/"},"wordCount":2041,"commentCount":0,"publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"keywords":["post"],"articleSection":["Cybersecurity","Information Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/rud.is\/b\/2017\/09\/17\/armchair-quarterbacking-systemic-organization-and-industry-failures\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/rud.is\/b\/2017\/09\/17\/armchair-quarterbacking-systemic-organization-and-industry-failures\/","url":"https:\/\/rud.is\/b\/2017\/09\/17\/armchair-quarterbacking-systemic-organization-and-industry-failures\/","name":"Armchair Quarterbacking Systemic Organization and Industry Failures - rud.is","isPartOf":{"@id":"https:\/\/rud.is\/b\/#website"},"datePublished":"2017-09-17T16:30:48+00:00","dateModified":"2018-03-07T22:04:12+00:00","breadcrumb":{"@id":"https:\/\/rud.is\/b\/2017\/09\/17\/armchair-quarterbacking-systemic-organization-and-industry-failures\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/rud.is\/b\/2017\/09\/17\/armchair-quarterbacking-systemic-organization-and-industry-failures\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/rud.is\/b\/2017\/09\/17\/armchair-quarterbacking-systemic-organization-and-industry-failures\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/rud.is\/b\/"},{"@type":"ListItem","position":2,"name":"Armchair Quarterbacking Systemic Organization and Industry Failures"}]},{"@type":"WebSite","@id":"https:\/\/rud.is\/b\/#website","url":"https:\/\/rud.is\/b\/","name":"rud.is","description":"&quot;In God we trust. All others must bring data&quot;","publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/rud.is\/b\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886","name":"hrbrmstr","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","width":460,"height":460,"caption":"hrbrmstr"},"logo":{"@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1"},"description":"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7","sameAs":["http:\/\/rud.is"],"url":"https:\/\/rud.is\/b\/author\/hrbrmstr\/"}]}},"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p23idr-1Er","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":1376,"url":"https:\/\/rud.is\/b\/2012\/06\/23\/breach-reach-google-insights\/","url_meta":{"origin":6351,"position":0},"title":"Breach Reach : Google Insights","author":"hrbrmstr","date":"2012-06-23","format":false,"excerpt":"UPDATE: I had to remove the Google Insight widgets and replace them with static images. There was inconsistent loading far too often in non-Chrome browsers. Click on the graphs to go to the Google Insights detail pages for more interaction with the data. Information security breaches have been the \"new\u2026","rel":"","context":"In &quot;Breach&quot;","block_context":{"text":"Breach","link":"https:\/\/rud.is\/b\/category\/breach\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1948,"url":"https:\/\/rud.is\/b\/2013\/01\/27\/once-more-into-the-prc-aggregated-breaches\/","url_meta":{"origin":6351,"position":1},"title":"Once More Into The [PRC Aggregated] Breaches","author":"hrbrmstr","date":"2013-01-27","format":false,"excerpt":"If you're not on the SecurityMetrics.org mailing list you missed an interaction about the Privacy Rights Clearinghouse Chronology of Data Breaches data source started by Lance Spitzner (@lspitzner). You'll need to subscribe to the list see the thread, but one innocent question put me down the path to taking a\u2026","rel":"","context":"In &quot;Breach&quot;","block_context":{"text":"Breach","link":"https:\/\/rud.is\/b\/category\/breach\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":416,"url":"https:\/\/rud.is\/b\/2011\/03\/26\/checkboxes-fail-to-defend-maine-department-of-conservation-against-attacks\/","url_meta":{"origin":6351,"position":2},"title":"Checkboxes Fail To Defend Maine Department of Conservation Against Attacks","author":"hrbrmstr","date":"2011-03-26","format":false,"excerpt":"I tweeted a quick note about the 2010 Maine Department of Conservation state park pass ordering system breach. The brief AP story indicated that the breach itself was caused by a malware infection on systems at their SasS provider InfoSpherix. While the article claims notices were sent to ~1,000 impacted\u2026","rel":"","context":"In &quot;Breach&quot;","block_context":{"text":"Breach","link":"https:\/\/rud.is\/b\/category\/breach\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1033,"url":"https:\/\/rud.is\/b\/2012\/05\/10\/off-by-one-the-importance-of-fact-checking-breach-reports\/","url_meta":{"origin":6351,"position":3},"title":"Off By One : The Importance Of Fact Checking Breach Reports","author":"hrbrmstr","date":"2012-05-10","format":false,"excerpt":"I didn't read through the Massachusetts 2011 Report on Data Breach Notifications\u00a0[PDF] until recently, but once I went through the report my brain kept telling me \"something is wrong\". Not something earth shattering, but more of a \"something is off\" signal. This happens more than I'd like as I tend\u2026","rel":"","context":"In &quot;Breach&quot;","block_context":{"text":"Breach","link":"https:\/\/rud.is\/b\/category\/breach\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":10257,"url":"https:\/\/rud.is\/b\/2018\/05\/08\/wrangling-data-table-out-of-the-fbi-2017-ic3-crime-report\/","url_meta":{"origin":6351,"position":4},"title":"Wrangling Data Table Out Of the FBI 2017 IC3 Crime Report","author":"hrbrmstr","date":"2018-05-08","format":false,"excerpt":"The U.S. FBI Internet Crime Complaint Center was established in 2000 to receive complaints of Internet crime. They produce an annual report, just released 2017's edition, and I need the data from it. Since I have to wrangle it out, I thought some folks might like to play long at\u2026","rel":"","context":"In &quot;R&quot;","block_context":{"text":"R","link":"https:\/\/rud.is\/b\/category\/r\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/05\/ic3_victim_treemap-1.png?fit=1200%2C771&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/05\/ic3_victim_treemap-1.png?fit=1200%2C771&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/05\/ic3_victim_treemap-1.png?fit=1200%2C771&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/05\/ic3_victim_treemap-1.png?fit=1200%2C771&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/05\/ic3_victim_treemap-1.png?fit=1200%2C771&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":754,"url":"https:\/\/rud.is\/b\/2012\/01\/03\/businessweek-infographic-illustrates-the-pounding-we-took-in-2011\/","url_meta":{"origin":6351,"position":5},"title":"Businessweek Infographic Illustrates The Pounding We Took In 2011","author":"hrbrmstr","date":"2012-01-03","format":false,"excerpt":"Another #spiffy tip from @MetricsHulk: Evan Applegate put together a great & simple infographic for Businessweek that illustrates the number and size of 2011 data breaches pretty well. (Click for larger version) The summary data (below the timeline bubble chart) shows there was a 37.4% increase in reported incidents and\u2026","rel":"","context":"In &quot;Breach&quot;","block_context":{"text":"Breach","link":"https:\/\/rud.is\/b\/category\/breach\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/6351","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/comments?post=6351"}],"version-history":[{"count":0,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/6351\/revisions"}],"wp:attachment":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media?parent=6351"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/categories?post=6351"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/tags?post=6351"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}