Another reason that proves Ford doesn't care about its customers

Ebm · Aug 16, 2021

Way to go Ford...

Ford bug exposed customer and employee records from internal systems (bleepingcomputer.com)

In other news... T-Mobile had a data breach. Ransomware is definitely at an all time high.

jacknifetoaswan · Aug 16, 2021

I mean, that doesn't mean that Ford doesn't care about their customers, it only means that their IT security needs improvement, just like LITERALLY every other organization on the planet.

JR - CISSP, CISSP-ISSEP, CCSP, CISM

Ebm · Aug 16, 2021

jacknifetoaswan said:
I mean, that doesn't mean that Ford doesn't care about their customers, it only means that their IT security needs improvement, just like LITERALLY every other organization on the planet.

JR - CISSP, CISSP-ISSEP, CCSP, CISM

Did you read the article? It's negligence... and a slap in the face to any Ford customer that their data could be accessed. Yes, you are right, everyone could improve their security. But Ford had no excuse to wait 6 months to even acknowledge that there was something wrong! Ford uses a vulnerability disclosure program called HackerOne. Even after the white hat hackers disclosed the vulnerability via the HackerOne program, Ford's communication was nonexistent. It took a Twitter tweet for Ford to pay attention. Honestly, if I wasn't a customer of Ford, I'm all for them getting ransomware. Sometimes it takes an incident to happen before a company pays attention.

Why did you post your certifications? Asshole move. You just proved how stuck up you are. Certifications are a money grab and only prove you can pass a test. The real world is what matters. Experience...

jacknifetoaswan · Aug 16, 2021

Ebm said:
Did you read the article? It's negligence... and a slap in the face to any Ford customer that their data could be accessed. Yes, you are right, everyone could improve their security. But Ford had no excuse to wait 6 months to even acknowledge that there was something wrong! Ford uses a vulnerability disclosure program called HackerOne. Even after the white hat hackers disclosed the vulnerability via the HackerOne program, Ford's communication was nonexistent. It took a Twitter tweet for Ford to pay attention. Honestly, if I wasn't a customer of Ford, I'm all for them getting ransomware. Sometimes it takes an incident to happen before a company pays attention.

Why did you post your certifications? Asshole move. You just proved how stuck up you are. Certifications are a money grab and only prove you can pass a test. The real world is what matters. Experience...

It doesn't prove anything. You do realize that closing vulnerabilities often mean that you're removing features, right? Or that you're preventing one system from talking to another? There are a lot of considerations at play here.

Regarding my certifications, yeah, a lot of people take tests and get certs. I'd say that 16 years of doing cyber security and systems engineering for the US Navy, US Army, and US Marine Corps gives me a pretty good idea of what works (risk-based approaches to vulnerability management and holistic security management using various methods) and what doesn't (blindly closing vulnerabilities without a clear understanding of impact).

I'm not saying that what Ford did was right or wrong, only that there are far reaching implications for issues like this. Without being a part of the internal Ford security team, you have no idea what was done, other than what is reported in this link.

ETA - BTW, if you know of anyone that can pass the ISSEP just based on their ability to take a test, I'd love to meet them. Why don't you share your industry certs and experience?

JR

Ebm · Aug 16, 2021

jacknifetoaswan said:
It doesn't prove anything. You do realize that closing vulnerabilities often mean that you're removing features, right? Or that you're preventing one system from talking to another? There are a lot of considerations at play here.

Regarding my certifications, yeah, a lot of people take tests and get certs. I'd say that 16 years of doing cyber security and systems engineering for the US Navy, US Army, and US Marine Corps gives me a pretty good idea of what works (risk-based approaches to vulnerability management and holistic security management using various methods) and what doesn't (blindly closing vulnerabilities without a clear understanding of impact).

I'm not saying that what Ford did was right or wrong, only that there are far reaching implications for issues like this. Without being a part of the internal Ford security team, you have no idea what was done, other than what is reported in this link.

ETA - BTW, if you know of anyone that can pass the ISSEP just based on their ability to take a test, I'd love to meet them. Why don't you share your industry certs and experience?

JR

I'm well aware that it means a potential for less features or breaking something temporarily. I think we both know about the current Print Nightmare situation going on. Or the ACL and SAM permissions issues going on. I've learned security through research. Not everyone needs to share that they have a piece of paper saying I know what I'm doing, some people are self taught. I have pieces of paper because it was required before I had experience, but I don't care to flaunt them. One of my hats is a Windows Sys Admin. If you deal with Windows, you know what a security nightmare it is. But it is also the most user friendly OS. People grew up with it, are used to it, and don't like change.

To answer your last question. Not everyone feels the need to flex on someone else. I like to fly under the radar. No one cares if I have a CCNA, MCSA in SQL Server, or anything else. To most, it is just a meaningless abbreviation. To the few that care, I guess it's "cool."

With that said, I do respect the flag and what it stands for. I will say thank you for your service. I will also say it is a jerk move flaunting your certs, especially on a car forum where they are meaningless to most.

emcmtony · Aug 16, 2021

When trying to find a reason that Ford does not care about their customers, you need not look any further than their Service Departments in Dealerships. For whatever reason, imports seem to take care of their customers and have them in and out pretty efficiently. Ford however has been and remains one of the slowest and inefficient Service Departments in the World. Yes, it is a local issue with Dealerships but I have lived in Hawaii, NY, SC, CT, FL, RI and NJ and not one of their Service Departments had a good handle on it. If for gave a shit about their customers they would demand better service from their Dealerships.

jacknifetoaswan · Aug 16, 2021

Ebm said:
I'm well aware that it means a potential for less features or breaking something temporarily. I think we both know about the current Print Nightmare situation going on. Or the ACL and SAM permissions issues going on. I've learned security through research. Not everyone needs to share that they have a piece of paper saying I know what I'm doing, some people are self taught. I have pieces of paper because it was required before I had experience, but I don't care to flaunt them. One of my hats is a Windows Sys Admin. If you deal with Windows, you know what a security nightmare it is. But it is also the most user friendly OS. People grew up with it, are used to it, and don't like change.

To answer your last question. Not everyone feels the need to flex on someone else. I like to fly under the radar. No one cares if I have a CCNA, MCSA in SQL Server, or anything else. To most, it is just a meaningless abbreviation. To the few that care, I guess it's "cool."

With that said, I do respect the flag and what it stands for. I will say thank you for your service. I will also say it is a jerk move flaunting your certs, especially on a car forum where they are meaningless to most.

I didn't serve, I'm a contractor. We're the ones that actually get shit done on behalf of the service branches.

That said, think of me as you will. You posted something extremely one-sided, with zero context, and used it "prove" that Ford doesn't give a damn about its customers. You didn't provide any inkling that you had any better information than what was presented in the article, or that you had any background in infosec. From what you've described, you may have some practical experience, but you sound like a systems administrator. No offense, but sysadmins are generally one of the biggest gaps in infosec coverage, because they do what's expedient, not what's right. Ignorance of policy and a desire to "just make things work" is what leads to a lot of security issues. On the other side, lack of user training and best practices leads to a significant number of what's left.

As far as flexing, would you consider me to be flexing if I commented on someone's misguided post about an issue with the car, and I was ASE certified, and I said I was? Because that's what's happening here - you made a post with inflammatory information about something that LITERALLY happens to organizations every freaking day, and I provided a comment and credentials to back up my comment.

Sorry to hurt your better sensibilities...

JR

Another reason that proves Ford doesn't care about its customers

Ebm

Well-Known Member

jacknifetoaswan

Well-Known Member

Ebm

Well-Known Member

jacknifetoaswan

Well-Known Member

Ebm

Well-Known Member

emcmtony

Well-Known Member

jacknifetoaswan

Well-Known Member