Conversation

Notices

1. Embed this notice
   Fritz Adalis (fritzadalis@infosec.exchange)'s status on Friday, 29-Nov-2024 05:45:40 JST Fritz Adalis

   • Kevin Beaumont

   @GossiTheDog
   Everybody has DLP but refuses to classify their data.

   • Embed this notice
     kurtseifried (he/him) (kurtseifried@infosec.exchange)'s status on Friday, 29-Nov-2024 05:50:25 JST kurtseifried (he/him)

     • Kevin Beaumont

     @GossiTheDog Your wishes are granted:

     > ban RSA conference etc for 5 years

     Without RSA and similar conferences, smaller vendors and niche innovators lose their primary platform for visibility, leaving the market dominated by a few mega-corporations who can weather the vacuum. Meanwhile, shadow conferences spring up with even worse grifting and no accountability.

     > make all speculative cybersecurity sales calls charged at $500 per minute

     Sales teams pivot to even more aggressive "free trial" offers disguised as legitimate meetings. Companies implement enterprise software so convoluted and proprietary that customers need those sales calls just to understand the product—and are stuck paying outrageous bills for their own onboarding.

     > outlaw all ransom and extortion payments and mandate breach reporting in law

     Ransomware gangs pivot to direct, destructive attacks, permanently deleting data rather than holding it hostage. Breach reporting laws flood the system with so much noise (every minor data exposure gets reported) that the public and regulators stop caring about even significant breaches. Alarm fatigue kills any real interest in the problem.

     > make insurance cover only incident response and recovery costs

     Insurers respond by jacking up premiums and slashing payout thresholds. Businesses are forced to prove cyber-hygiene levels so high that only elite enterprises can afford insurance. SMBs drop insurance altogether, becoming easy prey for attackers.

     > change industry verbiage on vulns to 'defects'

     Lawyers seize on the "defect" terminology to file mass class-action lawsuits over every disclosed CVE, leading vendors to stop publishing vulnerability information altogether to avoid liability.

     > call insecure product defaults 'negligence'

     Companies, terrified of being branded "negligent," make their products so locked-down by default that end-users can barely configure them. Productivity plummets as even basic tools become a nightmare to set up.

     > outlaw all NDAs on product pentests

     Without NDAs, vendors restrict pentesters' access to only sanitized, unhelpful environments to avoid embarrassing public findings.

     > change industry verbiage on responsible disclosure process to defect disclosure process

     Renaming the process spurs heated debates over what counts as a "defect," stalling the disclosure process altogether. Meanwhile, bad actors capitalize on the delay, exploiting vulnerabilities that would’ve been patched sooner under the old terminology.

     The good news is ... nothing really changed and the world keeps going mostly as is.

   • Embed this notice
     Edgar Whelp (edgarwhelp@cyberplace.social)'s status on Friday, 29-Nov-2024 05:57:21 JST Edgar Whelp

     • Kevin Beaumont

     @GossiTheDog man give Gossi a few hours in VR flight sim and he comes out spittin’ fire. That was fun to read!

   • Embed this notice
     Mark Bryant (spartan_1986@infosec.exchange)'s status on Friday, 29-Nov-2024 06:44:35 JST Mark Bryant

     • Kevin Beaumont

     @GossiTheDog "Everybody wants to outsource cyber to some terrible MSSP"

     Or not even - TCS 🤐

   • Embed this notice
     Robert [KJ5ELX] :donor: (0xf21d@infosec.exchange)'s status on Friday, 29-Nov-2024 06:45:40 JST Robert [KJ5ELX] :donor:

     • Kevin Beaumont

     @GossiTheDog this, but let’s also ban the use of warfare/military terminology in cybersecurity. I hate that intersection a lot and wish it would go away. It only benefits the big cats.