When to Discuss Security Publicly?
When is it appropriate to talk about security issues in a public forum? Pennsylvania's (former) chief information officer Bob Maley found out - or at least learned when it isn't.
When is it appropriate to talk about security issues in a public forum? Pennsylvania's (former) Chief Information Security Officer Bob Maley found out - or at least learned when it isn't.
He was fired a week after discussing details of a security vulnerability in the state's online driver's test scheduling system. The hole allowed an owner of a driving school in Philadelphia to schedule driving tests for students. Since new drivers typically have to wait weeks for the tests, the ability to schedule a driving test, say, the next day gave the school a distinct competitive advantage.
Maley discussed the vulnerability in the system at the RSA Conference in San Francisco in February. Why? In a blog item posted on Monday about the incident, he wrote:
This incident is an example of some of the more common but not necessarily exotic exploitations of IT systems. You don't see this type of incident listed among the top IT security threats of 2010. . . . By talking about this incident, I hoped to make people realize that simply following trend reports and compliance checklists isn't enough in today's environment. We need to make our strategic processes nimble, we need to think outside the normal and we need to get better at it than the bad guys.
Maley stressed that the hole had been fixed, making it impossible for another hacker to gain entry. It would be informative to know if attendees at the panel discussion thought Maley's disclosure was helpful to them.