Panera is going through a bit of a debacle last night and today. The original security researcher posted about it in detail after shit hit the fan. Near the end, he poses a few reflective questions. I figured I would poke at them!
“1. We could collectively afford to be more critical of companies when they issue reactionary statements to do damage control. We need to hold them to a higher standard of accountability. I honestly don’t know what that looks like for the media, but there has to be a better way to do thorough, comprehensive reporting on this.”
I think everyone in media and public relations would say this is about understanding the short attention span of media and their audience. Plus, every media outlet wants to get out there first, at least amongst their peers. (This is probably why, as a fan of CNN, I continue to be appalled at their lack of spelling and grammar over the past couple years…) But, yes, I’ve been sick of the vague, cookie-cutter statements for 15 years now. “We take security seriously…” and, “affected by a sophisticated, advanced attack…” and, “no further signs of abuse/disclosure (within only 60 minutes of discovery)…” The problem is one of transparency. The company usually has no reason to be very detailed, which means someone in the know (either inside or the researcher or someone who pieces it together and rediscovers it independently) needs to reveal the details responsibly. And I usually fall on the side of full disclosure as opposed to no disclosure or “responsible disclosure, which really just means stifling it with a smile.” It’s the best way for all of us to learn and get better, and also make educated choices about where to do business.
As far as holding accountable overall, that’s a rough one. While security companies and other Business-to-Business (B2B) firms can struggle after a breach, I don’t know of any retailers or food service companies that have been terribly impacted by a breach. Food quality scares can threaten Chipotle, but breaches seem to get ignored. This Panera one is a little different as the platform affected was a mobile ordering app, which is probably used by slightly more connected and savvy users; those that may never use it again due to this, but will probably will eat at Panera.
“2. We need to collectively examine what the incentives are that enabled this to happen. I do not believe it was a singular failure with any particular employee. It’s easy to point to certain individuals, but they do not end up in those positions unless that behavior is fundamentally compatible with the broader corporate culture and priorities.”
This is a meaty issue, for sure. I think many security issues don’t get exposed or talked about, because it is always (always!) easier to consciously or unconsciously ignore it. It’s hard finding security issues; sometimes you have to really try. And many people are just trying to complete their tasks and get through their days. The security team (if there is one) has this responsibility, but in a world where development wants to go at the speed of agile, no one can slow them down. Security has to move at that speed as well, which is difficult since security inherently is always behind the curve a little bit, and often perceived as adding no value.
This starts with a mandate or at the very least interest in security from a high level. It’s fine enough to say, “We don’t want to be the next Equifax/Panera/Boeing.” From there, security management needs to be based on fact, and not belief. It also needs to constantly be questioned and improved. None of us know how to secure everything; we learn incrementally or seek assistance/ideas elsewhere, and then weave that into our internal security fabric over and over and over. When that improvement process stops, gaps will appear. (To me, this is where threat hunting is becoming a thing; you can get pretty good with your security posture and do the basic things well to go, but to keep improving, you need that unit that keeps hunting, poking, learning, and injecting further information into the whole.)
“3. If you are a security professional, please, I implore you, set up a basic page describing a non-threatening process for submitting security vulnerability disclosures. Make this process obviously distinct from the, “Hi I think my account is hacked” customer support process. Make sure this is immediately read by someone qualified and engaged to investigate those reports, both technically and practically speaking. You do not need to offer a bug bounty or a reward. Just offering a way to allow people to easily contact you with confidence would go a long way.”
I basically agree with this, but also make sure that investigations are done properly (carefully) by your IR team, and make sure someone has a quick line to PR/legal if questions arise or things escalate. Lack of response can be appropriate, but that should be stated and at least give the correspondent some indication an email was successfully delivered. Basically, security@ email address should suffice, and optionally a quick mention on an appropriate Contact Us page.