Slashdot Mirror
Network Webcurity Wishlist?
breillysf asks: "I am a California-based network security attorney who has been asked by a senior US Senator to compile a list of the most important legal concerns facing network security administrators. He has a good feel for the government security issues (and lack there of), but he is concerned about what is going on in the front lines in the private sector. I thought the Slashdot crowd would have the best feel on the pulse of the current situation. Specifically, if you could ask Congress for help in the area of network and information security, what would you ask for? Or would you tell them to get out of the way?"
"For example, I tried to push for tax incentives for upgrades in network security measures, but the Senator replied that is dead in the water because we are now spending into a deficit. He would rather see insurance companies reward firms with lower premiums for enhanced security. But there are International legal issues, compliance issues, privacy complications, potential negligence liability exposure, lack of federal incident response, FOIA and anti-trust issues with info sharing, conflicting state and federal cybercrime and privacy laws, USA Patriot Act concerns, etc."
This is a great chance to get our concerns as a community out into the public sector.
Consider this: ONE person/organization has EVERYONE'S personal and financial data online. This goes against all design architectures in both security AND engineering. A single point of failure. Imagine one bank in real life, with Barney Fife guarding it. Would you put your life savings there?
With more and more commerce occurring on the internet, the more important it is that there is some scheme to protect this important market. I am particularly concerned with one private company holding the public trust in their hands -- I am also very concerned about the government, for that matter, also holding this information!
"Coax" all carriers and providers to do egress filtering at the edges of their networks. This should help significantly in reducing DDoS attacks and should help make malicious network activity easier to trace.
the more crypto the better. and don't try to legislate backdoors into it or anything.
people need to reliaze that crypto is available to anyone with the ability to use it...it needs help in getting the average joe to use it.
most people won't use PGP or something b/c it is too complicated. crypto needs to be built into office and internet apps from the ground up. strong crypto. stuff that can't be broken.
people need to feel secure about these things. i think the govt has a lot to offer in promoting pki and such to get this in the hands of everyone.
privacy is important. the govt needs to make a proactive effort to show that they believe in personal privacy and are willing to help make it happen online.
If the government would require on all their networks IPv6 and IPSEC, that would go along way toward IPv6 and IPSEC being accepted and would improve network security. Nothing else needs to be done.
doesnt' mean they're the least secure.
Exploits are still made against products that Microsoft secured over a year ago. And indeed, microsoft gets exploited the most because they are used by the vast majority of non-technical users. Can you imagine what would happen if 90% of the computer-owning people used linux? Every single hole in the OS would not only be explioted, but you could count on it being a LOT less likely that the average-joe user would *ever* update his software to fix the hole
One of these employees got bored with his coding tasks and, with no previous exposure to a broadband Internet connection, apparently decided to become a script kiddie on company time. From all outward appearances, he got pretty good at it, but one day it caught up with him: U.S. Marshals came into my office and served me with a court order that asked for many, many pieces of information that would tell them who had been cracking systems from our corporate network.
I had no problem turning this information over, as the other choice was to go to jail and let the hacker go free. However, I was appalled with the way the marshals treated me: they knew that I was just the sysadmin, not the perpetrator, but they still treated me like a criminal. When I told them that our NAT setup doesn't keep logs of every single outgoing connection from our network (as had been requested in the court order) they got really pissed off and started threatening me. At that point I told them that I was not going to do anything for them without talking to counsel, and they backed off.
So, the moral of the story here is that law enforcement needs to show more respect for sysadmins, and learn the difference between a network admin and a criminal on the admin's network. Treating everybody as though they are all guilty will only build resentment and get in the way of getting their precious case solved.
df
This is probably the most important thing any network professional can ask for.
Outlaw evil behavior, not the tools that enable that behavior. In many cases the tools have many, many more positive and educational uses than negative uses. In a lot of cases, the tools can be used to stop or examine criminal (cracking) behavior.
Say what you will about Steve Gibson, but the
guy knows a little about network security. He gives an extended discussion on how he used the tools of the IRC-based DDOS trade to help oust some script k1dd13's that were hammering his site.
Tools like L0pht-crack, the NT password cracker tool, I couldn't have convinced my execs that a company password policy was necessary and passwords like 'password01' were unnacceptable.
Just like we don't ban sledgehammers and bolt-cutters even though they can be used to break padlocks, we shouldn't ban network tools either.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!