Slashdot Mirror
A Need for Greater Cybersecurity
otterit writes "A story in the Washington Post discusses how chief executives of U.S. corporations and their boards of directors should assume direct responsibility for securing their computer networks from worms, viruses and other attacks, an industry task force working with the federal government said."
That's not to say that IT security and virii aren't devastating. Just that putting clueless buzzword-directive-issuers in charge, instead of those who understand the implications and directly deal with customers, doesn't solve anything.
I hate to be a grammar nazi, but for the freaking love of God, it is "Mac," not "MAC." It does not stand for anything, it is an abbreviation of "Macintosh." Too many people (who even supposedly know quite a bit about Macs) make this error. This reminds me of college professors who used to capitalize all the letters in "web" (as in WWW).
Bill Clinton: Pimp we can believe in. - The Shirt!!!
This paper addresses some of the issues you mentioned.
ObDisclaimer: I am one of the authors (though no longer at CERT) and express some opinions in the paper re: patching schedules and general due care in this area.
I want to drag this out as long as possible. Bring me my protractor.
MAC in this case means Mandatory Access Control.... if you wanted to be a grammar Nazi you could have pointed out my invalid use of possessive cases, misspellings, and run-on sentences. You try to put out a rant 20 minutes after waking up :)
AntiFA: An abbreviation for Anti First Amendment.
So the U.S. Government points the fingers at all the corperations and says:
'Because everyone here uses Microsoft and Microsoft can't get their shit straight, we're gonna have everyone here give pay out more money to Microsoft'
*DrugCheese rants*
I have been involved in several Sarbanes-Oxley 404 Internal Audits and let me tell you it's an uphill battle. First off I find myself dealing with people working in the financial department. This sort of makes since since 99% of Sarbanes-Oxley focuses on financial responsibility but when it comes to 404 specificly it doesn't make sense. I have been in the situation several times where the 404 internal audit was being funded from the finance department. This puts you in a situation where the IT department is at odds with you. They, the IT department, doesn't know who you are and you need to access all the security aspects of IT and physical security. So, not only do you have to convience the financial types that doing this audit is not optional but mandated by law you have to then convience IT types the same thing and you need access to all of their systems. Both are equally difficult because the financial types have a completly different definition of what an audit is and don't understand that an IT audit requires someone to physically check security of each device and run IDS and penetration testing. The IT people are just as hesitant. They understand quickly why you need to do this but don't want it to be a finance funding person doing the poking around. They want it to be an IT project. Most of the time they have someone in IT that says "heck I can do it" but don't understand the reasoning behind Sarbanes-Oxley's requirement for segregation of incompatible duties. Which means in a nutshell that you cannot be involved in a production or support role of the affected systems.
Being in the IT Security field I thought that this would be a big boom for my career but I have not seen it yet. 404 cleary states that someone has to be responsible for reporting on the security readiness of the company. I don't see how the audits I have performed meets this requirement. Does the 20+ page audits that I produce make the CFO think he can report on security readiness? I don't think so because security is something that changes on a day to day basis. Plus I would bet that the CFO is an end user to some of those systems (badge reader, workstation, email intranet, etc) and that this would prohibit him from being in that role. If I had the resources I would start a comapny and outsource the security audit and reporting responsibility. The major expense would be advertising / education of the corporations of the need of such a service.
Anyways, I could go on all day but in summary most corporations have no idea that they need this and the ones that do know don't understand it.
Nick Powers
Encryption: I may not agree with what you say, but I will defend your right to encrypt it...
>When a patch has been on the web for 6 months, its not the software company's fault that the user company has no policy on updating software, insufficient IT staff, and no end-user training.
Yesbut.
It is still the software company's fault that the bug existed in the first place. If the client company doesn't dare install patches because previous patches have crashed the production systems, that's the software company's fault. If the software company's salespeople showed a TCO study that didn't include monitoring for patches, building a regression lab to test patches before deploying them, rolling out patches, and doing this weekly or monthly, then the salespeople misled the client company.
If your car blows up because you got a recall notice six months ago and you ignored it, your fault. If your car gets three recall notices a week, there's something wrong at the manufacturer.